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1.0 INTRODUCTION AND SUMMARY- 

1.1 INTRODUCTION 

OBJECTIVE 

The objective of the work reported here was to provide an extension of 
the Complementary-Analytic-Simulative Technique (CAST) so that it would be 
applicable to the Shuttle Data Processing Subsystem (DPS). The accomplishment 
of this objective is to be achieved using a two-step process. The first step 
is to provide models, both analytic and simulative, for analysis of the 
Approach-Landing Test (ALT) configuration. This document contains a report 
of this ALT modeling and analysis. Since CAST had already been shown to be 
applicable to multicomputer systems (NASA Report CR-132552), the emphasis 
during this work was placed on extending the CAST concept so it is applicable 
to computer systems including the multiplicity of input and output devices 
found in a real-time control system application. The modeling and analysis of 
the Orbiter-Flight Test (OFT) is yet to be undertaken. 

ACCOMPLISHMENTS 

The accomplishments of Contract NAS9-14739 are described below and are 
summarized in tabular form in Table 1.1-1. 

The DPS mission-critical survivability for a six-hour mission was 
determined to be 0.999863 for the Shuttle ALT baseline configuration. Thus 
it can be said that for ALT, the survivability is adequate. However, the 
fact that orbiting missions of up to 30 days are planned illustrates the 
necessity of extending the ALT work to be applicable to OFT and actual mission 
scenarios. 

The above analysis led to the evaluation of three selected options 
which identified two areas of possible improvement. ’These improvements would 
result from use of a recovery technique which combines roll ahead with memory 
copy, and increased TACAN fault detectability. 

The above analysis and resulting conclusions was made possible by: 
extending the GPC analytic model to include imperfect detectability; creating 
a new analytic model to handle configurations involving non-symmetrical inter- 
connections (e.g. MCDS); creating a new analytic model to handle combinations 
of dependent device sets (e.g. flight-critical bus and connected units); 
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modifying the existing RCS simulator routines to achieve UNIVAC 1108 compati- 
bility, and adding three routines to reflect transient recovery procedure 
differences; and developing a simulation, consisting of 29 routines, for the 
flight-critical -bus partition. 


TABLE 1.1-1 CONTRACT CONCLUSIONS 


1. CAST Extended Successfully to DPS ALT (Step I — This 
Contract) 

2. DPS ALT Mission-Critical Survivability Determined to 
be adequate, i.e., 0.999863 (Step 1 — This Contract) 

3. OFT/Mission Survivability Unknown and much more 
important to NASA 

• Mission 

• Mission Duration 

o System Complexity 

4. OFT/Mission Survivability can be Determined Through 
an Extension of the ALT Models and Subsequent Analysis 

5. Areas of Possible Improvement Determined to Date are: 

• GPC Transient-Recovery Procedure 

• TACAN Detectability 
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1.2 


SUMMARY 


The results reported here were obtained by use of the enhanced version 
of the complementary-analytic simulative technique (CAST) developed on this 
contract for application to the Shuttle (ALT) avionics system configuration. 
These enhancements include modification of the previous analytic and simulation 
models and development of new models for the configurations not considered in 
previous work. The results are based on a six-hour mission and failure rates 
obtained from, or authorized by, the NASA Project Monitor.- 

Figure 1.2-1 presents a summary of the Shuttle avionics DPS failure 
probabilities as a function of mission time for the baseline configuration. 

The curves behave as expected in one respect, i.e., the failure probability 
increases with time. However, it is seen that the GPC failure probability has 
climbed to very close to that of the MCDS, and will for longer mission times 
approach the failure probabilities of the other units, e.g., flight displays. 
This is explained by the fact that the GPCs have high fault detectability and 
redundancy, but a high failure rate. The good detectability and redundancy 
keeps the curve low for short missions, but the high failure rate ultimately 
takes over and drives the curve up. The curves illustrate the necessity to 
perform this type of analysis for OFT and mission scenarios. 

Using CAST, the efficacy of each of three system optionswas investi- 
gated. It was found that use of the alternate MDM port for reconfiguration of 
GPC bus assignments will become useful during critical mission phases, when 
TACAN and/or microwave scan beam landing system units with lower failure rates 
become available. The use of a recovery technique consisting of roll ahead 
combined with memory copy has the potential of reducing transient leakage to 
zero (i.e., no transient faults are mistaken for permanents). This compares 
with the result of 70.3% when using the baseline technique of delay recovery. 
This more sophisticated GPC transient-fault recovery technique is most useful 
in hostile transient-fault environments, or when GPC coverage is degraded. 
Improvement in TACAN detectability offers the most promise of improving the 
overall avionics failure probability. For example, improving the TACAN detect- 
ability from 0.999 to 0.9999, will decrease the overall avionics failure prob- 
ability from 7.7(10)‘ 5 to 5.6(10)" 5 . 

Consideration was given to use of laboratory tests to verify the CAST 
models. Laboratory testing to verify the models presented here was found to 
be feasible, but the testing must be carefully designed so as to obtain the 
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maximum results in a reasonable test time. This test design, when performed, 
must include both the test procedure and the test implementation, e.g., computer 
programs for automatic fault injection. 



FIGURE 1.2-1 BASELINE CONFIGURATION FAILURE PROBABILITIES 
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2.0 BACKGROUND AND DESCRIPTION OF CAST 

2.1 BACKGROUND 

A complementary analytic-simulative technique suitable for extension to 
Shuttle applications was evolved on a previous contract. 

The complementary analytic-simulative technique (CAST) evolved as a 
result of a study performed for NASA Langley Research Center. The objective of 
the study was to provide concepts and engineering data from which a highly- 
reliable, fault-tolerant, reconfigurable computer system (RCS) for aircraft 
applications could be designed. For the purposes of the study, an RCS was de- 
fined to be a redundant configuration of off-the-shelf avionics computers which 
achieved fault-tolerance through use of a variety of recovery techniques. A 
principal study goal was the development and application of reliability and 
fault-tolerance assessment techniques. Particular emphasis was placed on the 
needs of an all-digital, fly-by-wire control system appropriate for a passenger- 
carrying airplane. 

As mentioned above, a complementary analytic-simulative technique (CAST) 
for calculation of predicted failure probabilities of multicomputer systems was 
evolved. In addition, measures of fault-tolerance applicable to general fault- 
tolerant computer systems were defined. CAST was applied to 39 example computer 
system configurations to provide insight into the important aspects of these 
configurations, as well as demonstrate the efficacy of the approach. Also, a 
set of customer-provided reliability-enhancement techniques (RETs) was expanded 
and their individual effectiveness was evaluated. 

A representative set of results obtained from applying CAST to an RCS 
is shown on the opposite page. 
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2.2 


DESCRIPTION OF CAST 


Fault tolerance measures can be produced through a combination of engi- 
neering characterization of the system, simulation, and analytic modeling. 

Analytic modeling and simulation each has its strengths and limitations. 
However, when these two system evaluation approaches are combined are supple- 
mented by an engineering characterization of the system, a very powerful tech- 
nique results. The combination is illustrated in Figure 2.2-1. 

This Complementary Analytic-Simulative Technique (CAST) evolved as it 
became evident that neither analysis nor simulation alone could satisfy all the 
RCS evaluation requirements. Analytic modeling provides, flexibility and rapid, 
economical data generation. However, the solutions for some configurations 
are very cumbersome and, in certain cases, the mathematical model formulated 
is intractable. Simulation permits computer system details to be included 
easily, but data generation is slow and expensive. CAST permits the user to 
obtain the best features of both analytic modeling and simulation. 

The engineering characterization is performed to provide six categories 
of information to the analytic modeling and the simulation. These information 
categories are: (1) configuration particulars, (2) fault environment, (3) system 
failure criteria, (4) software structure, (5) recovery features, and (6) test 
features. The individual items in these six categories are shown in the figure. 

The following items are available as simulator outputs: (1) permanent- 
fault coverage, (2) transient-fault coverage, (3) detectability, (4) diagnost- 
ability, and (5) recoverability. 

The analytic modeling provides the following measures of fault tolerance 
(1) computer system survivability (or failure probability), and (2) computer 
system reliability. 
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3.0 . SHUTTLE (ALT) DATA PROCESSING SUBSYSTEM 

The Shuttle (ALT) Data Processing Subsystem was modeled on the basis of 
information in various Rockwell and IBM descriptive documents. 

The Shuttle (ALT) Data Processing Subsystem is composed of five, ident- 
ical, general-purpose digital computers. Each of the five are capable of com- 
municating with the peripheral equipment to perform both flight-critical and 
non-critical functions. During the approach-landing test, four of these com- 
puters operate in concert, receiving the same input data, performing the same 
flight-critical computations, and transmitting the same output commands. Re- 
covery time during ALT is intended to be less than one second. The fifth GPC, 
i.e., the one supplying signals to the back-up flight control system, is not 
included since it is only used in ALT if a software error is detected and these 
errors are not modeled during this phase of the work. The DPS is shown dia- 
grammatically on the facing page. 

As shown in the figure, communication among the GPCs, and between the 
GPCs and/or the peripheral devices is effected through use of seven groups of 
buses. The number of buses in each group is shown on the figure. Each of these 
buses is a one 'megahertz, serial bus. Communications between units on a bus is 
accomplished through use of command words, command data words, and response 
data words. Each GPC is composed of a central processing unit (CPU) and an 
input-output processor (IOP). All information transfers to and“from the GPCs 
are handled through the IOP. Software control is used to instruct each bus 
within a data-bus group whether it is to operate in the command or listen mode. 
When operating in the command mode, data requests and commands are sent to the 
peripheral equipment and the data is then supplied over the same bus. When in 
the listen mode, data are only received on the bus. 

The bus configuration allows each computer to have access to all flight- 
critical data received or transmitted by the other computers. Each of the re- 
dundant subsystems is connected to a different bus. Hence for data input, a 
different computer requests data from each of the subsystems. The requested 
data are then available to all other computers. Thus identical input data are 
available to each computer in the DPS. 

For data output, since each channel of the actuator subsystem is con- 
nected to a different bus of the group, a different computer transmits command 
data to each of the voting actuator channels. As a result of the bus-computer 
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SHUTTLE ORBITER COMPUTER SYSTEM BLOCK DIAGRAM (ALT) 





interconnections, each computer can -monitor the command data sent out by 
each of the other computers. 

When data is to-be transferred between computers, each computer 
communicates with all other computers through the inter-computer communication 
(ICC) buses. Only the GPCs are connected to the ICC buses. In order to avoid 
data skew of either inputs or outputs, synchronization is accomplished in the 
DPS through use of inter-computer discrete signals and synchronization software. 

Sensors and actuators are connected to the appropriate bus through 
multiplex-demultiplex (MDM) units. Analog display units are connected to their 
bus through display driver units (DDU), while the multifunction CRT display 
system (MCDS) is connected through display electronic units (DEU). The mass 
memory units (MMU) and pulse code modulation master units (PCMMU) are connected 
directly to their respective buses. 

The actual free-flight portion of ALT lasts approximately 172 seconds. 
However, for mission success probability calculations, the mission time can be 
thought of as starting 4.5 hours before takeoff of the Shuttle carrier aircraft 
(SCA) and lasting until 86 minutes after takeoff for a total time of just under 
six hours. 

Fault detection in the Shuttle DPS GPCs is accomplished through use of 
the five techniques shown in Table 3.0-1. The compare-word-sum check involves 
summing critical GPC actuator-command outputs, and each GPC comparing its sum 
with that of the others. This check is performed each computation cycle. This 
comparison is performed by use of the Fault Detection Identification Program. 

If the difference is greater than that allowable and has occurred the maximum 
permissable number of times, then the fail -discrete of the faulty GPC is set. 

There are two recovery approaches available in the Shuttle GPC config- 
uration. The first of these is one in which the crew identifies a failed GPC 
through use of the "failed-discrete" and may either switch out the failed 
machine or try an initial program load (IPL). The IPL approach is used when 
there is reason to believe that a transient fault has been experienced. The 
second recovery approach is to crew-enable inhibition of transmission of out- 
puts from the failed GPC. This inhibition is accomplished automatically once 
it has been enabled by the crew. It should be noted that restoration of a GPC 
that may have suffered a transient is not attempted during the action portion 
of ALT. This is because of the stringent recovery time constraints and the 
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fact that restoring and adding a computer to the redundant set during time- 
critical mission phases requires a significant amount of computer memory and 
time and introduces greater than desirable operational complication. 

Fault detection in the peripheral units of the DPS is accomplished by 
a combination of BITE and GPC-supervised tests. The recovery approach used 
depends upon the particular unit. 


TABLE 3.0-1 FAULT DETECTION, LOCATION 

AND RECOVERY ACTIONS 


Function 


Fault Detection 


Fault Location 


Action/Indication 


Compare word sum check 
Bus channel timeout test 
Built-in-test equipment 
Seif-test programs 
Watchdog timer 

Failure- vote-discrete output 
GPC- fail -discrete output 


Recovery 


Try crew-enabled IPL 
Inhibit output transmission 
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4.0 ANALYTIC MODEL MODIFICATION 

4.1 SHUTTLE AVIONICS SYSTEM PARTITIONING 

4.1.1 GENERAL 

Partitioning the Shuttle avionics system has a two-fold purpose. First, 
the system must be subdivided into independent module sets. Second, the module 
sets should be sufficiently simple for mathematically tractable solutions. 

By independence of module sets, we mean independence with respect to 
the impact of faults from one set to the other. A definition of independence 
is as follows: Given a collection of module sets, the sets are independent of 

each other if a faulty module within one set does not incapacitate modules with- 
in any other set. However, within each independent module set, a failure of one 
module type has an effect on other module types. For example, a CPU fault would 
cause its IOP to not function properly, and an MDM failure would prevent access 
to the devices it services. • 

Having defined the independent partitions, the survivability of each 
partition may b£ determined independently and the system survivability is the 
product of the survivabilities of the partitions. 

The first-cut partitions are along the lines of the bus groups. These 
groups are: the four general-purpose computers (GPC); the flight-critical buses 

and connected equipment (FCB); the two mass memory units and their buses (MM); 
the display equipment and their buses (MCDS); the payload operations equipment 
and buses (PLO); the launch-related equipment and buses (LE); and the flight 
instrumentation and buses (PCM). The back-up system is not considered here. 
Modeling it involves consideration of the probability of a software fault and 
its detectability. 

A failure of one of these groups has a different impact on the Shuttle 
mission depending on the group. There are two levels of failure criticality: 
safety critical and mission critical. Safety critical failures threaten the 
Shuttle vehicle and the lives of the crew while mission critical failures affect 
the accomplishment of mission. A bus group falls into one of these two cate- 
gories. The safety critical partitions for ALT are: the GPCs, the flight- 
critical bus group, and the MCDS. A safety critical failure is also mission 
critical since a lost vehicle implies an unsuccessful mission. Therefore, 
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safety critical partitions are also mission critical. The flight instrumenta- 
tion is mission critical, while the remaining bus groups are not applicable 
to ALT. 


• GENERAL-PURPOSE COMPUTER GROUP 

• FLIGHT-CRITICAL-BUSES AND RELATED EQUIPMENT 

• MASS MEMORY EQUIPMENT GROUP 

• DISPLAY EQUIPMENT 

• PAYLOAD OPERATIONS EQUIPMENT 

• LAUNCH-RELATED EQUIPMENT 

• FLIGHT INSTRUMENT EQUIPMENT 

THE SHUTTLE AVIONICS SYSTEM HAS BEEN PARTITIONED 
INTO THESE SEVEN INDEPENDENT EQUIPMENT GROUPS 
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4.1.2 DETAILED PARTITIONING 

The approach utilized in arriving at the partitioning described in the 
previous topic involves first a partitioning along functional unit boundaries, and 
then a checking for fault interactions. If fault interactions are not found, the 
partitioning stands. Otherwise a re-partitioning is required. It is desirable to 
refine the partitions into as many smaller parts as possible to make the analysis 
of each as simple as possible. 

THE GPCs 

The GPC is composed of a CPU, memory, and IOP. A failure in any one of 
these areas interferes with the correctness of program execution or output data. 

One may say that an individual MIA failure in the IOP affects only the associated 
bus, and thus the GPC is still capable of performing functions that do not require 
the services of the affected bus. However, the present recovery prodedures do not 
take this into account at the present time. Also, an MIA represents a very small 
portion of the total GPC failure rate. Thus to a reasonable approximation the 
set of GPC's is a partition. 

THE FLIGHT 'CRITICAL BUSES AND RELATED EQUIPMENT 

The flight critical bus system consists of 8 buses connected to 4 forward 
MDMs, 4 aft MDMs and 2 DDUs.- Failures in one of these module groups does not affect 
the other module groups. Bus failures do affect more than one module group, but 
the bus failure rate is very small compared to those of the modules. Because it is 
small, the bus failure rate can be included with each of the module groups with 
a very small resultant error. The result is a slightly pessimistic estimation 
of the survivability. Therefore the forward MDMs, aft MDMs, and DDUs, with the 
buses attached to each, constitute three more partitions. 

FLIGHT INSTRUMENTATION 

The flight instrumentation consists of the PCM masters, 01 buses, and OF 
and 0A MDMs. An 01 bus is dedicated to a PCM master while each of the OF and OA 
MDMs may use either bus. Thus the partitions generated are: PCM master plus 01 
buses, OF MDMs, and OA MDMs. 

OTHER PARTITIONS 

There are four additional partitions. These are the mass memories, the 
displays (MCDS), the payload operations equipment, and the launch-related equipment. 
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Because each of these have independent buses that are not used by other module 
groups, they can each be considered as independent partitions. Only the MDCS is 
used in ALT. 

The safety critical and mission critical survivabilities are the product 
of the individual partition survivabilities. 

s s " S GPC x S MCDS x S FF x S FA x S DDU 
and S M - S s x S pcM x S op x S QA . 

where = Safety critical survivability 
= Mission critical survivability 

and the remaining subscripts pertain to the mnemonics of the partitions. 


SAFETY CRITICAL 

1. GPCs and Intercomputer Buses 

2. FF MDMs and All Flight Critical Buses 

3. FA MDMs and FC Buses 5-8 

4. DDUs and FC Buses 1 -4 

5. MCDs and Display Buses 

MISSION CRITICAL 

1. PCM Master and 01 Buses 

2. OF MDMs 

3. OA MDMs 

4. Safety Critical Group 


SHUTTLE PARTITIONS FOR ALT 
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4.2 GPC MODELING 

4.2.1 STATE DIAGRAM DERIVATION 

The GPC model is directly applicable to all of the partitions except for 
the flight critical bus partitions and the MCDS. Specifically, it models the case 
where a fault anywhere in a string fails the entire string. It is also useful as 
an approximation when this is not the case. 

Prior developments of this model assumed a detection probability of unity 
because fault detection was in all cases (except residual simplex) accomplished by 
voting or comparison. The use of fault detectors such as BITE or self test re- 
quire the addition of imperfect detectability to the analytic model. 

The state diagram shown in Figure 4.2-1 demonstrates the sequence of events 
taking place in a module set undergoing faults. We begin- at time T=0 in the N 
fault-free modules state and find the probability of the module set failing as a 
function of time. Faults occur at a rate x+t, the sum of the permanent and tran- 
sient fault rates. After a fault occurs, we move to the detection state. With 
probability U^, the detectability, the fault is detected, and we move to the 
transient recover^ state. Failure to detect the fault is assumed to pollute the 
system with errors resulting in a system failure. After detection, a transient 
recovery is attempted. If transient recovery is successful, the module set is 
restored to N working units. Transient recovery is unsuccessful if the fault is 
permanent or with probability a (transient leakage) if the fault is transient. 

The unsuccessful transient recovery leads to a permanent recovery procedure where 
either a spare is added or the module set redundancy is reduced by one. Failure 
of permanent recovery results in system failure. 
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FIGURE 4. 2-1 FAULT OCCURRENCE/RECOVERY STATUS STATE DIAGRAM 


4.2.2 FORMULATION AND SOLUTION OF EQUATIONS 

The probability of system failure is the sum of the probability of failing 
through three mutually exclusive failure paths. The three ways to fail are: 

1. Failure to detect 

2. Incorrect isolation or faulty permanent recovery 

3. Failure from N - 1 fault-free modules 

The probability of failure as a function of mission time then becomes: 


F n (T) - 



-N« N t 


dt 


U-V N ) 


sfi 

0 


-N<5^t 

Na N e dt 


T -N5 N t 

+ U N V N W N f Ncr N e F N-1 
J 0 


(T-t)dt 


where the terms used in the expression are defined on the opposite page. Integral 
the first two terms, replacing t with T-t in the third term, letting = u^v^w^, 
and simplifying, we have 


MT) = (1- 


'NaN 


1-e 


- NS N T 


+ ^ C N°N e 


-N5 n T /♦' N6„t 


J e F N-l (t)d t 


Replacing F^(T) and F^fT) with l-S^(T) and l-S^^T), respectively and rearrangir 
terms, we have 


V T > 


-N6..T 


= e 


NC N 0 N e 


- N5 N T 


/ 


N6 N t 

e S N _ 1 (t)dt 
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This integral equation may be solved recursively by assuming S^T) is a sum of 
exponentials 

n -ks,/r 

V T > = k ? x a Nk 6 


Substituting for S^(T) in the above integral equation, performing the integration 
and simplifying yields 


t 1 NC N q N a N-lk \ e ’ N5 N 

k=l N( V k6 k / 


+ V NC N q N a N-lk e “ kfi k T 

k=X N V k5 k 


From this we can identify the recussive definition of the a's as follows: 

_ NC N J N a N-l k 

a Nk NS N -k6 k k = 1,..., N - 1 

N-l 

a NN = 1 ' Z a Nk 
k=l 

These equations show the parameter set required for the analytic model. 


TABLE A. 2-1 PARAMETER DEFINITIONS 

= Transient leakage (probability of failure of transient recovery given 
M fault is transient) 

u^ = Detectability (probability fault is detected given fault occurs) 

v N = Diagnosability (probability fault is properly isolated given fault is 
detected) 

w M - Recoverability (probability system recovers given fault is properly isolated) 
C N = u^v^w^ Coverage (probability system recovers given fault occurs) 

- \ + t Transient plus permanent failure rate 
q N = x + a n t P ermanen t anc ^ leaky transient rate 

5 N = u N a N + ^‘ u N^ a t Rate ^ au H- s resulting in failure or redundancy degradation 
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4.3 MCDS MODELING 

4.3.1 STATE DIAGRAM DERIVATION 


t? FPRODU CIBILITY OF THE 
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The multifunction computer display system (MODS) is a special case to 
be modeled. It consists of the display electronics unit (DEU), display unit (DU) 
and keyboard (KB). The DU is dedicated to the DDU, so we consider it a part of 
the DEU for analysis purposes. There are two KBs connected to three DEUs by a 
switching arrangement. The switches allow three configurations as follows: 


1 . 

KB A ► 

DEU A 


KB B *-• 

DEU B 

2. 

KB A «— ► 

DEU A 


KB B — 

DEU C 

3. 

KB A — 

DEU C 


KB B ♦ — ♦ 

DEU B 


This connection arrangement is illustrated in Figure 4.3-1. The fault 
occurrence/recovery status state diagram is given in Figure 4.3-2. At the begin- 
ning of the mission*, the MCDS is in the no faults state. If a keyboard fails, one 
of the DEUs will be permanently deprived of a keyboard. The mission continues witfr 
a simplex keyboard and duplex DEUs. If DEU C fails, then KB A will be dedicated tc 
DEU A, and KB B will be dedicated to DEU B for the remainder of the mission. If 
DEU A or B fails first, then one KB is dedicated to DEU C while the other may be 
connected to either DEU C or B (we assume A was the failed DEU). There are four 
possibilities for the next failure: (1) If the dedicated KB fails then the common 
KB may serve the remaining DEUs. We have a simplex keyboard and a duplex DEU. 

(2) If the common keyboard fails, then DEU B has no access to a KB. We complete 
the mission in simplex. (3) If DEU C fails, the dedicated KB has no DEU to serve 
or (4) If DEU B fails; then we complete the mission with duplex KBs and simplex 
DEU. 
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FIGURE 4.3-1 SYMBOLIC INTERCONNECTION DIAGRAM OF 

THE MCDS 



FIGURE 4.3-2 FAULT OCCURRENCE/RECOVERY STATUS STATE 

DIAGRAM FOR THE MCDS 
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4.3.2 EQUATION DERIVATION 

The quantities used in the derivation that follows are given on the oppo- 
site page. The survivabil ity is the sum of four mutually exlcusive probabilities 
as can be seen from the state diagram of Figure 4.3-2. 

1. No failures occur. 

2. The first failure is to DEU A or B, the system survives any 
subsequent faults. 

3. The first failure is to a KB, the system survives any 
subsequent failures. 

' 4. The first failure is to DEU C, the system survives subsequent 
faults. 

By using the general expressions for simplex and duplex survivability, S(T) 
then becomes 


S(T) = S 23 (T) + 2 C^cr^S^CT) 


d3 d3 23 


/ 


S DEU FAILED (t)/S 23(t) dt 


A 


2 C d2°d2 


2 C d2 a d2 


+ 2 C k2°k2 S 23 (T ) J 2s, 0 -<s,, + l 1 ~ 26 / S 12 ^ 


d2 dl 


/S 23 (t) dt 


+ C d3 a d3 S 23^ J ^ 


/ 


2 ^ C k2 g k2 +C d2 a d2^ 
, 2(5 k2 +6 d2 } " 5 dl 5 kl ~ n 


-S 1t (T) + 1 


d2 dl 

2 ^ C k2 q k2~ i ~ C d2 g d2^ 
2 ^ 6 k2 +6 d2^ -<s kl" 6 dl/ J22 


s 00 (t) 


/s 23 (t) 


The problem is to find Sp^y FAILED* ^ 1S sum ^ our mutually exclusive 
probabilities: 

1. No more failures. 

2. The next failure is to the common KB or to DEU C, and 
the system survives. 

3. The next failure is to the dedicated KB, and the system 
survives. 

4. The next failure is to DEU B, and the system survives. 
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TABLE 4.3-1 SYMBOL DEFINITIONS 


* 

X = 

Permanent Fault Rate 

* 

T = 

Transient Fault Rate 

** 

u = 

Detectability 

** 

V = 

Di agnosabi 1 i ty 

** 

W - 

Recoverability 

** 

C = 

Coverage, i.e., uvw 

** 

z = 

Transient Leakage 


= \ + x Total Fault Rate 

** cr = X + lx Effective Permanent Fault Rate 

** 6 = ua + (l+u)a t 

S mn (t) " expC - (nl 5 km + " s dn )t] 


* Quantities marked with an asterisk have a subscript k or d to indicate 
association with a keyboard or DEU + DU, respectively. 

^Quantities marked with a double asterisk have a double subscript kn 
or dn to indicate n keyboards remaining or n DEU + DUs remaining, 
respectively. 
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So S DEU FAILED becomes 


DEU FAILED 


I 

(T) = S 22 (T) + ( C k2 a k2 +C d2 a d2^ ^IZ^f S 11 ft)/ S 22^ dt 


T r , 


+ \fnhz™f K% s ii 


(t, + ( 1 ‘^Sr) s,2lt) ] /Sa(t,dt 


+ C d2 a d2 S 22 


mf 




* S„{T) + 


C k2 g k2* C d2 g d2 
2 d d2 +2 <s k2~ 5 kl" 6 dl 


[s^m-s^tT)] 


2 C k2 a k2 C d2°d2 

^ S d2' 5 dl'« 5 K2 +2 5 d2‘ 6 kr 5 dl 


[ S n ( T) - S 22< T >] 


+ C k2 q k2 (, _ 2 C d2 g d2 
2 5 k2 _<S kl \ 2 fi d2‘ 6 dl 


[ s 12 < t ) 


2 C d2 g d2 C k2 g k2 

^ 2 6 k2’ 5 kl^ 2 5 k2 +2 5 d2” 5 kl -<S dl - 


[ S n (T) " S 22 (I ^] 




Substituting p A ji_£Q into the expression for S(T), we have the following result 


S(T) = S„(T) 
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4 C k2°K2 C d2 g d2 m 

12 5 d2~ 6 d1 K2 *k? 3 <5 d3'' 6 kl" 6 dl ^ I- 11 


- S 


23 


,T>] 


2 C k2°k2 


2 C JO cr 


1 - 


2 S k2 +3 5 d3- S kr 2 S d2 V 26 d2- s dl 23 


d2 d2 \ g (j) 

Jn -{„ H2 UJ b 23 u 'J 


. 4 C d3 c d3 C kd (q k2 +g d2 ) [- m , s (T {\ 

(2 S.«+2 L 7 -6. ^,-6 )(3 6 , J2 5, ,-5 ,,-i. ) [_ 11 23 J 


k2 d2 V k1 dr' u d3 " u k2 U d1 U k1 


C d3 a d3 


3 S d3‘ 2 6 d2 


3 - 


4 C kd (q k2* CT d2 } 

2 6 k2 +2 6 d2" 6 kr 6 d1 


s 22 (T) 


23 


(T)" 

J 




4.4 FLIGHT CRITICAL BUS MODELS 
4.4.1 GENERAL 

The flight critical bus partitions present a difficult modeling problem 
due to the fact that an MDM or DDU failure fails the entire string, while a 
device failure does not necessarily mean a string failure. For example, if MDM 
FF1 fails to function, the GPCs are no longer able to access the devices dedi- 
cated to FF1 . On the other hand, if accelerometer 1 fails, MDM FF1 may still 
communicate with the remaining devices in the string. Thus the device types are 
dependent in pairs, but are in actuality dependent through the MDMs or DDUs. 

The modeling technique used in the previous sections results in mathe- 
matically intractable formulations when applied to this situation. However an 
approximate model becomes appropriate to cross check with the flight critical 
bus simulation, and to provide rapid and economical results after a successful 
cross check. There are two approximations possible with the previous modeling 
technique. One approach involves assuming complete unit independence and the 
other is to assume total unit dependence. These represent an upper and a lower 
bound, respectively to the true survivability. An intermediate solution that 
provides realistic, usable results may be obtained by taking each of the mutually 
exclusive cases of MDM or DDU failure combinations and modeling the remaining 
device's survivability, given that failure combination. Each possible combina- 
tion that can result in a successful mission is modeled. As an example of one 
of these combinations, suppose MDM FF1 fails and the other FF MDMs survive, then 
the ADTA must survive the mission in triplex while the other device types must 
survive in duplex. 

By fixing the failure conditions of the interfaces (MDMs and DDUs) that 
make the devices dependent, we have removed the cause of the dependence of the 
devices. A further exposition of this method is contained in the sections that 
fol low. 
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4.4.2 DDU MODEL DERIVATION 

The flight display partition consists of the display drive units (DDUs) 
driving the altitude vertical velocity indicator (AVI), alpha/mach indicator 
(AMI), horizontal situation indicator (HSI), and the attitude direction indi- 
cator (ADI). There are duplicate display strings. In the modeling of this 
partition there are two, mutually-exclusive failure conditions of the DDUs that 
can result in the survival of the displays: none fail or only one fails. If 
no DDUs fail during the mission then each indicator must survive independently 
in duplex. And if one DDU fails, each display associated with the non-failed 
DDU must survive. The display partition survivability becomes the sum of these 
two survival conditions as follows: 


S DDU R DDU X S AVI X S AMI X S HSI X S ADI 

+ 2C 2 R DDU^ 1_R DDU^ X S AVI x S AMI X S HSI x S ADI 


where the superscript on S represents the redundancy level that the display must 
survive from. 


The quantity, C£» is the coverage associated with one DDU failing some- 
time during the mission. This coverage is not simply the DDU coverage because 
one or more of the displays on the string may have failed before the DDU. Of 
course, display failures after the DDU fails have no impact. We need to find 


P A = Pr [device A fails before the DDU, given the DDU fails before T]. 
The quantity C 2 then becomes 


C 2 ~ C DDU (1_P AVI + C AVI P AVI )(1 “ P AMI + C AMI P AMI^ 
^“ P HSI + C HSL P HSI^ 1 ” P ADI + C ADI P ADI^ 


where the subscripts on P correspond to the mnemonics of the displays. 

Now P A is the joint probability of A failing before the DDU and the DDU 
failing before T, all divided by the probability of the DDU failing before T. So 

P A * Pr [A fails before DDU and the DDU fails before T]/(l-e" x DDU T ) 

= P A /(l-e‘ a DDU T ) 

The quantity P A is the integral over the mission time of the product 
of probability of A failing by t and the probability of the DDU failing between 
t and t+dt. 


4-17 




Substituting into the expression for and then letting A be the AVI, AMI, 
HSI, and ADI in the expression for C 2 yields the desired expression for S DDU> 


A = Permanent failure rate 
t = Transient failure rate 

a DDU * X DDU + *DDU X DDU 



C, = u 2 v 2 w 2 

S^ = Unit A survivability with initial redundancy 
A level k 

A . = Either AVI, AMI, HSI, or ADI 


DEFINITION OF SYMBOLS 
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4.4.3 FLIGHT-CRITICAL-MDM SURVIVABILITY-MODEL DERIVATIONS 

The forward and aft flight critical MDMs present a more complicated 
situation to model. Here the first three MDMs (denoted type 1} serve several 
identical flight critical devices, while the fourth serves only^one device 
(see Figure 4.4-1). In this case, we consider the survival conditions with 
six, mutually-exclusive MDM failure configurations as follows: 

1. No MDM failures 

2. No MDM type-1 failures, MDM 4 fails 

3. One MDM type-1 failure, no MDM 4 failure 

4. One MDM type-1 failure, MDM 4 fails 

5. Two MDM type-1 failures, no MDM 4 failure 

6. Two MDM type-1 failures, MDM 4 fails 

In each of the cases, the set of devices served fay the non-f ailed MDMs 
must independently survive the remainder of the mission. Also, the coverage 
associated with each MDM failure must take into account device failures on the 
string prior to the MDM failure. In the flight forward case, MDMs 1-4' serve 
the ADTA while only MDMs 1-3 serve the remaining devices. The_ resulting flight 
forward-survivability expression is as follows: 


s = p3 
*FF K M1 


d c(4) <.(3) ,(3) s (3) s (3) s (3) c(3) 

“M4 ^ADT *IMU TAC 5 MCS ^RHC ^RPT ^SBC 

+ r R 3 n R 1 s<3.) e(3) c(3) ,(3)' s (3) $ (3) s (3) 

u 4 K M1 u-k M 4 ; ^ADT a IM0 TAC 1LS ^RHC ^RPT ^SBC 

+ o r r 3 r no) c(3) s (2) s {2) s (2) s (2) s (2) s (2) - 

+ k mi Kma VI K m1 ; i ADT a IMU i TAC i MLS i RHC i RpT i SBC 


+ or r R 2 H-R. Hl-R 1 S (2} S (2) S (2) S (2) S (2) S (2) S (2} 

+ 3L 3 b 4 Kjfl vi Kj^nl K M1 i ^ ADT i IMU ^TAC ^mls ^rhc s rpt ^sbc 

+ or r R o no )Z c(2) s (l) c(D c(D S (D e(l) c(l) 

JU 3 2 K M1 “m 4 u *M1 } 5 ADT ^IMU ^TAC *MLS ^RHC ^RPT °SBC 

+ 3C c C R. (1-R Ul-R I 3 cO) cO) s O) S (1) s O) s (1) $0) 
+ c 3 Vi VI ^4^1 k m1 ; b A0T o IMU i JAC i MLS i RHC i RpT i SBC 


where each term corresponds to an MDM failure condition given above. In the 
flight aft case, MDMs 1-4 serve the ASA while only MDMs 1-3 serve ‘the rate 
gyros. Similarly, the aft survivability becomes: 
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- R 3 R qO) 

FA *M1 k M4 ^ASA ^GNR 

+ C 4 R M1 (1 ‘W S ASA S GYR 

+ 3 c 3 r m1 r M4 0-r m1 ) 

+ 3 c 3 c 4 R^ (1 -R m 4 )0-R m1 ) S$ R 
+ 3 c 3 c 2 r m1 r m4 0-R m1 ) s asa S GYR 


+ 3 C 4 c 3 C 2 R M1 


(1-R M4 )(l-R M l) 2 


c(U c(l) 
^ASA ^GYR 


Ml 

R^-j = e ; Ml denotes MDMs 1 through. 3 

-M4 T 

R M4 ~ e 5 M4 refers to MDM 4 

$1^ is the survivability of the device with 

mnemonic A with initial redundancy level k. 

C. is the coverage associated with an MDM 

failure, taking into account devices failing 
defore the MDM at redundancy level k. 

C 4 is the coverage associated with MDM 4 failing. 

DEFINITION OF SYMBOLS 
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5.0 SIMULATOR 

5.1 SIMULATOR BACKGROUND AND MODIFICATIONS 

5.1.1 BACKGROUND - RCS SIMULATOR 

The RCS simulator was developed to provide parameters, which could not 
be estimated directly, to the analytic model. . 

The use of simulation studies to investigate the behavior of computer 
hardware/software systems is well-established. Simulation is used for those 
situations which are intractable to an analytic approach, or for which the essence 
is lost when the prerequisite abstractions and simplifying assumptions necessary 
to the analytic technique are made. 

Much attention has been given to improving the mission success probability 
(MSP) of computer systems by the addition of protective redundancy. Such re- 
dundancy allows the system to continue correct operation in the presence of one 
or more failed components. The efficacy of this improvement is measured by the 
MSP increase. 

The mission success probability is defined as the probability that, given 
that there were no failed components or erroneous memory information present at 
mission inception, the hardware and software are operating correctly at the end 
of the mission. Thus the system must be able to survive both permanent and 
transient faults. 

In order to make an accurate analytic determination of the MSP of this 
type of system, all fault- tolerance processes (e.g., detection, recoveries, etc.) 
must be modeled. However, for even a reasonable approximation to a real-world 
implementation, a mathematical model soon becomes intractable. Simulation is 
then the alternative solution. 

The goal in the RCS work was an approach that is applicable to a wide 
variety of computer designs, and one which reflects the hardware-software inter- 
action. Thus, a logic-level simulation would provide needless detail, in addition 
to sacrificing versatility. Hence, a modeling level of detail was chosen that 
permits description of system details, but is versatile enough to accommodate 
different computers and configurations. 

Translating these ideas into RCS simulation objectives yielded the 
following three items. The simulator should produce: (1) the fault-tolerance 
of each of a wide variety of reconfigurable computer system configurations; 


5-1 



(2) global parameters for use in analytic modeling; the (3) the behavior of a 
configuration in various fault environments. 

The requirements imposed on the simulator design by these three objec- 
tives are examined in the following paragraphs. 

The simulator should be able to produce the desired measures of fault- 
tolerance for a wide variety of configurations. This requirement can be satisfied 
in a reasonable way by structuring the simulator such that the various fault- 
detection and recovery algorithms are implemented as subroutines. Thus a con- 
figuration can be described by specifying the applicable set of subroutines, 
plus the necessary parameters. This simulator structure provides versatility 
and modularity, and minimizes the impact of addition of new subroutines. 

Global parameters are those required when using the analytic model 
for analysis of a configuration. For example, the transient coverage in triplex, 
Cy, has been defined as the conditional probability that a triplex system 
recovers, given that a transient has occurred. If a configuration is analyzed 
by mathematical modeling, Cy is one of the input parameters of the model. 

However, it is difficult for the designer to evaluate Cy, since it may depend 
on: the location of the transient fault; their occurrence rate x; the time 
between occurrence and detection of a fault; and the recovery algorithm used. 

By introducing these factors into the simulation and gathering statistics 
describing the computer system reaction to transient faults, Cy can be estimated 
by computing the ratio of the number of successful recoveries from transient 
faults to the total number of transients. 

Thus, for the configurations where the mathematical modeling is appli- 
cable, one simulation run gives an estimate of these parameters of the modeling. 
Then using the model, the MSP of the configuration can be easily determined 
for any given time t. 

The fault environment provided in the simulator should be sufficiently 
versatile to provide all expected possibilities to test the recovery algorithm 
utilized in the configuration under simulation. Thus low or high failure rates, 
existence and duration of transient bursts, long transients, mathematical fault- 
distribution functions, etc. must be provided. Implementation of this fault 
environment should be accomplished so as to provide maximum flexibility of 
environment choice by the user. 
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5.1.2 EXTENSION OF RCS WORK 

The simulator for the Shuttle Data Processing Subsystem is based on the 
RCS simulator. The basic simulator structure is the same, but nearly all of 
the programs have been modified and 32 programs have been added. The major 
effort was spent on the flight-critical bus partition simulation, as this had 
to be developed from scratch. The shuttle DPS software utilizes a transient 
recovery procedure that was not postulated in the RCS simulator. A methodology 
for the simulation of this recovery procedure had to be developed. The flexi- 
bility of the simulator was increased by making all transient recovery procedures 
optional. Other changes include improvements to the simulator I/O format and 
the replacement of most source statements that are incompatible with the UNIVAC 
1108 Fortran compiler. 

The flight-critical bus subsystem was partitioned into six classes for 
separate simulation of faults occurring in: the flight-critical buses, the bus 

terminal units (MDMs and DBUs), devices directly interfaced with the DDU, 
dedicated devices directly interfaced with the FF-MDMs, non-dedicated devices 
interfaced with the FF-MDMs, and devices interfaced with the FA MDMs. A main 
routine determines in which equipment group the fault occurs and transfers 
control to the appropriate simulation routine. These routines utilize FCB 
redundancy and interconnection arrays to determine the impact of the fault on 
the system. The arrays are then updated to reflect the new system status. 

The RCS STATE simulation subroutines were modified in order that the 
FCB simulation could be included with GPC simulation. Here a routine FIFAU, 
which is always invoked upon a fault occurrence, was modified to invoke the 
FCB simulation routines for faults located in the FCB partition. It was 
necessary to modify the interface to FIFAU in all of the state simulation 
subroutines. 

FCOS uses a different recovery procedure than was postulated in the 
RCS work. Upon the occurrence of a fault, it is recorded, but no recovery 
action is taken. If the fault recurs within a certain time window, it is 
assumed to be permanent, and the system' is reconfigured. With this procedure, 
transient faults whose ill effects disappear after a small time interval do not 
cause unnecessary system degradation. This recovery procedure had to be modeled 
and implemented in the simulator program. It was implemented by modifying 
STATE 2 and STATE 8 of the simulator programs. In addition, the simulator was 
given more versatility by making all recovery techniques optional. 
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The simulator input deck had to be modified because several new param- 
eters were introduced. In the process it was set up to use a more uniform 
structure in order that the chance of error could be decreased. The output 
format has been modified to include only the pertinent parameters in the 
configuration summary and to include confidence intervals for simulator 
statistics . 
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5 .*2 GENERAL DISCUSSION OF THE SIMULATOR 

5.2.1 SIMULATOR CHARACTERISTICS 

1 

A fault-driven simulation that permits multiple simulation runs with one 
submission has been designed. 

Certain aspects of the general approach to the design of the simulator 
are implicit in objectives 1 and 3 listed in Section 5.1.1, namely the need for 
versatility and flexibility. There is a third, as-yet-unstated requirement, and 
that is for an efficient implementation that results in a reasonable computer- 
cost per run. 

The versatility and flexibility requirements can be satisfied by de- 
signing a modular simulator that --is easily modified (flexibility), and that 
models many configuration and fault-environment possibilities (versatility). 

Since we are concerned with behavior of the computer system following occurrence 
of a fault, we can obtain an efficient implementation by designing a "fault- 
driven" simulator, rather than one that simulates the continuous operation of 
the system. Thus, a fault-driven simulation is one that moves from fault occur- 
rence to fault occurrence, simulating the response of the system to each fault, 
but not simulating the operation of the system in between. 

The modularity of the simulator has been demonstrated as it was con- 
verted from the RCS simulator to the GPC simulator. Its versatility is indi- 
cated by the fact that it can model eight GPC configuration types, and eight 
f aul t-envi ronment possi bi 1 i ti es . 

The simulator program consists of a collection of FORTRAN IV computer 
programs (tobe run in a CDC 6600 CYBERNET computer environment) organized and 
designed to satisfy the simulation objectives. The gross organization of the 
simulation is presented in Figure 5.2-1. The main routine in charge of directing 
the processing flow of the simulation is designated the Driver. A collection of 
subroutines are accessible to the Driver via FORTRAN CALL statements. Each of 
the computer system states are represented by a subroutine. Other supportive 
subroutines perform statistics gathering and probability generating functions. 
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FIGURE 5,2-1 THE RCS SIMULATOR IS STRUCTURED TO PERMIT 
MULTIPLE RUNS 
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5.2.2 GLOBAL SIMULATOR ORGANIZATION 

The simulator program is structured to simulate the detection of faults 
within a computer system and the computer system's successful/unsuccessful re- 
covery actions taken in response to the detected faults. Each simulated mission 
is assigned a mission time. A simulation run consists of the repetitive con- 
tinued simulation of a designated number of missions (each with the same mission 
length). 

A simulation run consists of several phases. First the system is ini- 
tialized by obtaining the i-nput parameters and initializing fault counters. 

Next the system simulation begins. Faults are randomly generated for several 
missions and placed in a table. The fault table is searched to determine the 
next mission in which a fault occurs. After the mission parameters are ini- 
tialized, the handling of faults is simulated. Then the statistics for the mis- 
sion (i.e. final state, number of faults, causes of failures, etc.) are gathered. 
This process is repeated until all missions are simulated, and then estimates for 
analytic model parameters are calculated and printed along with the simulator 
statistics. Figure 5.2-2 illustrates the process for simulating the required 
number of missions. 

Simulated faults occur in either the GPC partition or the FCB partition. 
If the fault occurs in the GPC partition it is simulated by one of a set of sub- 
routines dependent upon the current GPC redundancy level and the recovery proce- 
dure in progress. This set of subroutines will be identified as the GPC simula- 
tion programs in following topics. They are described in more detail in Section 
5.3. Faults occurring in the FCB partition are simulated by a subroutine depen- 
dent upon the FCB component in which the fault occurs. The status of the FCB 
subsystem is represented by a set of tables. An approach like that chosen for 
the GPC simulation was impossible because of the large number of possibilities 
involved. Section 5.4 describes the FCB simulator programs in detail. 
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FIGURE 5.2-2 PRINCIPLES OF A FAULT DRIVEN SIMULATION 
(BOX 3 OF FIGURE 4} 
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5.2.3 SIMULATOR UTILIZATION 

The simulator provides the capability for estimating the fault handling 
abilities for a large number of configurations. In order to use the simulator, 
it is necessary to define the configuration and fault environment in detail, 
specify the simulator input parameters, set up a data deck, run the simulator 
program, and interpret the simulator results. 

The system configuration is defined by the software characteristics, 
recovery procedures, hardware redundancy, and the recovery parameters. The 
fault environment is specified by the transient and permanent fault distribu- 
tion functions. The software characteristics primarily affect parameters re- 
quired for GPC simulation such as minor cycle duration, the major cycle duration, 
the time between inter-computer comparisons, the iteration period and the execu- 
tive structure. The software characteristics indirectly affect other parameters 
such as recovery procedure performance parameters and fault coverage for FCB 
faults. The recovery procedures specify the method of transient recovery if • 
any. Rollahead, rollback, memory copy, delay before reconfiguration and system 
restart are the possible recovery methods. The hardware redundancy is specified 
by the number of each type of system component, and their interconnections. 
Recovery parameters such as BITE detection probability and program survivability 
are determined by a detailed analysis of the system hardware. The fault environ- 
ment is defined by the probability distribution functions of permanent faults, 
transient faults and transient fault durations. Permanent fault inter-arrival 
times are assumed to be exponentially distributed. Transient fault inter-arrival 
times can be exponentially distributed or burst distributed (see Section 5.3.3). 

It is necessary also to specify the parameters for the distributions (e.g. failure 
rates if the fault inter-arrivals are exponentially distributed). The input para- 
meters are described in more detail in Section 5.5.1. 

Once the input parameters are defined for the configuration* the simu- 
lation control parameters must be specified and the input deck must be set up. 

The parameter NMIS defines the number of missions to be simulated. The number 
of missions simulated has a bearing on the accuracy of the results; better ac- 
curacy is obtained by simulating a larger number of missions. The Flight Criti- 
cal Bus partition and the GPC partition can be simulated together or separately 
because they are nearly independent. Thus if the effectiveness of several 
transient recovery procedures is being investigated it is only necessary to 
simulate the GPC partition in order to determine transient leakages. The input 
deck setup is given in Appendix B. 
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The simulator is then run and produces a configuration summary and some 

simulation statistics as output. The configuration summary includes a specifi- 

cation of the GPC configuration, the GPC fault environment, the FCB device 
failure rates and the FCB coverages. The simulation statistics includes the 
number of faults - both transient and permanent, the number of system failures, 
the number of "leaky" transients, and estimates of the mission failure proba- 
bility and certain analytic model parameters. The simulator output is described 

in detail in Section 5.5.3. 


INPUT DATA DECK 




Configuration Particulars 
« Software Characteristics 

• Recovery Procedures 

• Hardware Redundancy 

• Recovery Parameters 




Simulation Control 

• Number of Missions 

• Partitions to be Simulated 

Fault Environment 

• Permanent Fauit 
Distribution t 

• Transient Fault 
Distribution 



SIMULATOR PROGRAM 



SIMULATOR OUTPUT 


Configuration Summary 

• GPC Configuration 

• GPC Failure Rates 

• FCB Failure Rates 
° FCB Coverages 


Simulation Statistics 

• Number of Faults 

• Number of System Failures 
® Mission Failure Probability 

• Analytic Model Parameter 
Estimates 


5-10 






5.3 SIMULATION OF THE GPCs 

5.3.1 OVERALL GPC SIMULATOR STRUCTURE 

The GPC simulator is organized as an "event driven," e.g., fault driven, 
simulation in order to minimize user computer costs. 

The approach taken in the formulation of the GPC simulator is an exten- 
sion of the approach described in KRUU 63. Formulating the simulator permits 
the computer system to be viewed as a finite state automaton. Thus, the system 
is described by the states it may assume and the possible transitions between 
states . 

The computer system states are defined by two conditions. The first 
of these is the function being performed by the system. Examples of these are: 

1. Normal Operation; 

2. Recovery Operation, 

3. Reduced Capability Operation, 

4. System Restart; and 

5,. System Failure. 

The second of the system-state defining conditions is that of the number of 
permanent faults that the simulated system has suffered during the particular 
simulated mission under consideration. Obviously, the system that has not yet 
encountered a fault will be in normal operation, while a system that has 
encountered faults may be in recovery operations, reduced capability operations, , 
system restart, or may have failed. 

Transitions between states in the simulated GPC system will be caused 
by either of two events. The first event that may cause a transition is the 
detection of a fault. For example, the first detection of a fault in the 
Shuttle GPC set causes a transition to the delay-reconfigurable state which 
simulates the FCOS transient-recovery method. Later detections of faults will 
cause a state transition in the simulated system. The second event, the comple- 
tion of a recovery procedure, will definitely cause a transition to another 
state. What state is the destination of this transition depends on the type 
of recovery procedure attempted. For example, the successful completion of a 
normal recovery procedure when four GPCs are operating will return, the simula- 
tor to the normal operations state. However, a recovery procedure that requires 
deactivation of one of three GPCs will cause the simulated system to transition 
to the duplex state. 


5-11 



An important aspect to be noted when considering the organization of 
the GPC simulator is that it is an "event driven" simulation. Thus, the 
initial state transition is only made when an event, in this case either a 
permanent or transient fault, occurs. Use of this type of structure provides 
a significant saving in computer time. 


• System is Described by the States it May Assume and 
the Possible Transitions Between States 

• States are Defined by: 

® The Function Performed by the System 

• The Number of Permanent Faults Assumed 
by the System 

• Transitions are Caused by: 

• Detection of Faults 

• End of Recovery Procedure 

• Resulting Simulation is Event Driven 
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5.3.2 STATE DIAGRAM 

A state in the state diagram is defined by the number of properly- 
functioning computers and the action performed by the computer system at a 
given time. 

Figure 5.3-1 presents the simplified state diagram of an adaptive NMR 
configuration that employs rollahead, rollback, and memory copy for transient- 
fault recovery. The algorithms involved in States I, II, III, and VII do not 
redundant states by maintaining a count in the simulation of the currently 
active computers. 

NORMAL OPERATION (3 OR MORE UNITS) 

In the normal operation state with three or more computer units, the 
outputs of the computers are periodically compared. Disagreement of one or 
more computers constitutes fault detection and requires exit from this state. 

As long as two computers are fault-free, the rollahead recovery proce- 
dure is used and, if it is not successful, the memory copy. If all computers 
disagree at the same time, a system restart is initiated. 

ROLLAHEAD (OR STATE VECTOR TRANSFER) 

The rollahead state is entered to simulate the computer system's 

r 

attempt to recover from a detected single fault. The state vector (consisting 
of program variables and all register contents) of one good computer is used to 
replace the non-agreeing computer's state vector. However, all transient 
failures are not corrected by this procedure since a bad instruction cannot be 
restored. The approach taken in the simulation is to provide for the specifica- 
tion of a rollahead success probability. This probability can be formally 
defined as: 

P = Pr [fault is corrected fiven that a fault has occurred, 
has been detected, and its physical cause has dis- 
appeared when correction begins] 

An analysis, which gives consideration to the type of memory (e.g., 2 1/2D, 3D, 
DRO, NDRO, etc.) and the consequences of memory faults, will yield an estimate 
of the rollahead success probability (or program integrity). 

MEMORY COPY 

This recovery procedure is entered after a specified number, of roll- 
aheads have been completed unsuccessfully. The memory contents of one good 
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FIGURE 5.3-1 SIMULATOR STATE DIAGRAM 













memory are transferred into the faulty memory. In order to avoid interruption 
of computation, the transfer is effected on the basis of cycle stealing. It 
ends with the updating of the state vector of the faulty computer. 

Since, during a memory copy, normal application routines continue, it 
is possible that a new fault shows up. The following (conservative) assumption 
has been made in order to simplify the simulation. Upon detection of a second 
fault during a memory copy, the memory copy procedure is abandoned and the 
computer for which this memory copy was intended is discarded. 

It is assumed that memory copy provides recovery from transient faults 
which have disappeared when the memory copy began with a probability equal to 
the memory copy efficacy. 

SYSTEM RESTART 

The system restart state is entered when all computers disagree upon 
comparison. The recovery procedure from this state may consist of a memory 
verification. Relevant memory locations are read, voted upon, and restored. 
Extensive diagnosis may also be run. Finally, if a backup memory is available, 
reloading may be possible. Then the application program is reinitiated from 
the restart point. 

After a successful system restart, the system returns to the normal 
operation state. However, since all computers stop their normal computation 
during a system restart, this recovery procedure is time critical. 

Note that in a benign fault environment, the probability of having a 
system restart is quite small (=*1 for 1 million faults). However, system 
restart is necessary if the fault environment is so harsh that bursts of faults 
can hit several computers at a time or if the probability of a short power 
failure is not negligible. 

INTRODUCTION OF A SPARE 

If a spare is available, it should be activated once a permanent fault 
has been recognized. As part of the activation process, the spare is checked 
and conditioned by one of the good computers. In the situation depicted in the 
state diagram of Figure 5.3-1 spares are not available for the duplex and 
simplex simulation. This is thought to be compatible with the expected 
applications. 


o-pppODUCIBILITY OF THE 
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NORMAL OPERATION (2 UNITS) 

The normal operation (2 units) state is entered upon the determination 
that a permanent fault exists in one of the three computers on the computer 
system. This state is quite similar to the normal operation (N units) state, 
except that the only available recovery procedure is program rollback. 

ROLLBACK 

The rollback state is entered upon the detection of a fault when the 
computer system is in the normal operation (2 units) state. Rollback is the 
term used to describe repetition of the program segment executed just prior to 
the detected output disagreement. The state vector at the beginning of each 
program segment is maintained in order that the rollback procedure may be 
accomplished. 

After the program segment has been repeated, the outputs of the two com- 
puters are compared; if the correction is successful, the computer system 
switches back to the normal operation (2 units) state. If the output differs, 
the system rolls back again; this unsuccessful recovery process continues a 
predetermined number of times before changing the computer system state to 
diagnosis. 

Since both of the active computers remaining in the computer system 
must stop their normal computations during a rollback, this computer recovery 
procedure may be time-critical. However, if comparisons are frequent enough, 
a rollback should not last more than a few milliseconds. 

DIAGNOSIS 

In triplex, voting provides a very easy and efficient way of isolating 
the faulty unit. Unfortunately, a disagreement upon comparison in duplex does 
not indicate which of the computers produced the wrong value. That is why the 
main recovery procedure in duplex is the rollback since there is no transfer 
of information from the good to the bad computer for such a procedure. But, 
if the rollback does not succeed, the bad computer must be isolated. For that 
purpose, self-tests are run. If they are successful, the faulty computer is 
isolated and the system switches to simplex. If unsuccessful, the system is 
unable to decide which computer is faulty and the system fails. Diagnosis pro- 
grams are obviously time critical. Note that it would be possible to include a 
memory copy which would take place once a diagnosis had been successful: the 
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memory of the good computer would be copies into the bad one. However, this 
improvement is not so good as it would seem since many transients cannot be 
detected through diagnosis. 

NORMAL OPERATION (SIMPLEX) 

In simplex operation, comparison is no longer available for detection 
of faults. We must rely mostly on the RETs to detect faults. CPU transients 
are difficult to detect. Some may be caught through go/no-go counters and 
storage protection. Memory faults are easier to detect. Parity check is 
especially useful. When a fault is detected, a rollback is initiated. If the 
fault is not detected, a failure occurs. 

ROLLBACK IN SIMPLEX 

This is the same procedure used in duplex. Since it is the only 
recovery algorithm available in simplex, it is repeated as long as it is not 
successful. If recovery from the fault cannot be effected, a system failure 
will occur when the system has been down too long. 

SYSTEM FAILURE 

The system failure state is entered with the system is unable to run 
properly and longer or when computational requirements have not been met for 
too long a period of time. Upon recognition of the condition of a system 
failure, the DRIVER program discontinues the simulation of a mission. 

Causes of failures are: 

1. Excessive time in rollahead, memory copy, or rollback: 

It should not happen since the system must be designed 

so that a recovery procedure does not endanger it. However, 
it might happen that the continuous repetition of such pro- 
cedures be fatal for the successful completion of the mission. 

2. An overly-long system restart: A system restart is a very 

rarely called procedure. But it is long (a few seconds), and 
may not always be tolerable. 

3. Diagnosis incomplete when available recovery time expries: 
Normally, diagnosis follows rollback. It is possible that 
these two recovery procedures sometimes take too long. 
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4. 


Undetected faults in simplex. 

5. A too long rollback in simplex: This happens when a 

permanent occurs or when a non-recoverable transient occurs. 

6. EEM failures: In the case of non-dedicated EEMs, the system 

fails when all EEMs fail or when all but one fail and the 
computers are unable to decide which is the good EEM. 

7. Bus failures: The system fails when all buses fail or when 

all but one fail and the computers are unable to decide which 
is the- good bus . 

8. . Actuator/sensor failures. 
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5.3.3 FAULT GENERATION 

A flexible approach to the generation of faults was chosen for use in 
the RCS simulator 

A major portion of the simulator is dedicated to the generation of 
faults according to mathematical algorithms which describe the occurrence of 
faults in the various components of the computer system. Two approaches .to 
handling this problem were considered: 

1. Generation of one fault at a time. 

2. Generation of a fault table describing the faults which 
occur in the computer system between 0 and a time T. 

The first approach is suitable if we consider only single faults and 
if we simply describe fault occurrences within the computer system, e.g., the 
fault-arrival rate in the system is A and the probability that a fault is in 

i.L 

the i u part of the computer system is P- . This procedure is described in 
LYON 62. 

Since we must deal with transient failures also, we want to know how 
the computer system behaves in case of multiple faults. Furthermore, if the 
faults do not occur according to a Poisson law in all modules (burst of tran- 
sient failures for example), the method described in LYON 62 is not readily 
applicable. 

A more efficient and more general approach is to generate a fault 
table prior to simulation. This also makes the simulation program more func- 
tionally modular since, once the simulation has begun, we have only to scan 
the fault- table to determine when and where the next fault occurs. 

PARAMETERS 

The parameters necessary to generate the fault table for a simulator 
run are a part of the parameters of simulation which are input by the simulator 
user for each simulator run. 

DESCRIPTION OF THE COMPUTER SYSTEM 

The computer system to be simulated is composed of n identical computers, 
each composed of m modules. 
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DESCRIPTION OF THE FAULT DISTRIBUTIONS 

For each of the m modules , the distribution functions to be used in 
generation of both permanent and transient faults must be indicated by the 
simulator user. Specific subroutines for the chosen distribution functions 
are then called and the parameters of the distribution are passed to these 
subroutines. 

For permanent faults, only the Poisson distributions have been 
implemented. This is generally considered in the literature to be most 
realistic. 

For transient faults, Poisson and burst distributions have been con- 
sidered. Poisson distributions are considered because of their tractability 
and acceptance for the permanent fault case. Burst distributions are thought 
to be important because many transients likely are caused by components 
working near the limits of their tolerance specifications. As long as the 
conditions do not improve, faults will occur often in these components. A 
burst of transients is defined by its duration and the rate of transient 
occurrence during the burst. Bursts occur according to the burst rate.* 

DESCRIPTION OF THE FAULT DURATION 

For each of the m modules, the distribution function of the transient 
failure durations to be used by the simulator programs must be indicated by 
the simulator user. Specific subroutines for the chosen distribution functions 
are called by the Driver and the subroutines receive the parameters of the 
distributions. 

At the present time, the uniform and the exponential distributions 
have been implemented. 

1. Uniform Distribution — The transient failure duration is 
uniformly distributed between a minimum and a maximum duration. 

2. Exponential Distribution -- The transient failure duration is 
exponentially distributed. The mean duration is 1/y. 

DESCRIPTION OF THE FAULT TABLE 

The fault table consists of 300 records ordered according to the 
occurrence time of each fault. This table can contain up to 150 permanent 
faults and 150 transient faults. It has the following record format: 
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Permanent failures are identified by a duration longer than the 
mission time. 

GENERAL ORGANIZATION OF THE FAULT GENERATOR 

The first step consists of generating a table of permanent failures 
and a table of transient failures for each module in the" computer system. 

Then these tables are merged into one sequentially-ordered (master) fault 
table. The general organization of the fault generator is presented in 
Figure 5.3-2. 

DETERMINATION OF THE OCCURRENCE TIME OF THE FAULT ACCORDING TO 

A POISSON DISTRIBUTION FUNCTION 

Faults occurring by a Poisson distribution process have a probability 
that one fault occurs during a small interval of time, dt, as follows: 

P-j = Adt. (See PARZ 60). 

The probability of no faults, P , occurring during the time interval 
dt is, P Q = 1-Adt, and the probability of more than one fault occurring is 0. 

A Poisson distribution process has two very important properties: 

1. It is memoryless: This means that the probability of a fault 

occurring between times t and t+dt is independent of fault 
occurrences before time t. 

2. The probability density function for the random variable, Tx, 
i.e., the interarrival time between two consecutive faults, is 

f T (t) = Ae~ xt 

T 

Thus the probabi-lity distribution function of T is: 
t 

P[T" t ±t] = f f T (u) du 
J o 
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FIGURE 5.3-2 GENERAL ORGANIZATION OF THE FAULT GENERATOR 
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Thus the probability of having no fault at time t is: 

R(t) = e‘ U 

A difficulty arises at this point since the random number generator 
(function) available in the CYBERNET system produces outputs which are. uniformly 
distributed on the interval 0 <_U <_1 . The outputs of this generator can v be con- 
verted using the approach described below. (HILL 70, SHRE 66). 

We are concerned with the random variable T , the interarrival time 

T 

between faults, whose distribution function is given above as 

P[T x <t] = 1 - e" U 

For the purposes of the simulation we wish to obtain values of t. We now note 
two important facts. First, 0<_P<_1. Second, by algebraic manipulation it is 
possible to solve for t, e.g.: 

t = — y an (1-P) 

Thus, for any value of P in the valid range, a value of t can be calculated. 

By generating values of P using the random number generator, which produces 
uniformly distributed numbers between zero and one, t can then be calculated. 

A more formal description of the process follows. Using the random 
number generator which gives a number U uniformly distributed on the interval 
CU U< 1, we have to compute T^ which is exponentially distributed. That means 
that we have to find a function f(U) such that: 

T x = f(U) 

and P[U<_u] = u (uniform distribution) P[T x <t] s l-e -;vt 

(if 0<u<l) 

If T = f(U), we can define the inverse function g(T ) such that 
u = g(T x ). 

* Thus, we have: 

P[T T <t] - l-e~ U 

* P[f(U)<t] 

= P[u<g(t)] 
a g(t) 


5-23 



The last equation is true since U is uniformly distributed on the 
interval, 0_<U<1. Thus we know that the unknown function f(U) is the inverse 
of the function g ( t) = l-e" xt . 

Hence: 

u = g{t) = l-e“ xt 
t = an (1-u) = f (u) 

Since we have just found the function f, we can write 
T =4 in (1-U) 

But we can have a simpler expression: U is uniformly distributed on 
the interval, 0 <_U < 1 . Hence 1-U is also uniformly distributed on the same 
interval. This implies that the distribution of T^ does not change if we 
replace 1-U by U. 

Finally, we have shown that if U is uniformly distributed on 0<_U<1, 
then T t = ^ Jin U is exponentially distributed, the parameter of the distribution 
being X. 

4 

Using the random number generator provided by the CYBERNET system, 
we determine the different interarrival times and thus the occurrence times. 

The flowchart of the generation of the occurrence times of the faults in one 
module is presented in Figure 5.3-3. 

DETERMINATION OF THE DURATION 

As stated earlier, both exponential and uniform distributions of 
transient fault duration are 'available in the simulator. If the transient 
duration is exponentially distributed (parameter y), we determine a duration 
D-j- for each transient: 

Dy = - ^ Jin U using the same general procedure described for the 

occurence time. If the duration is uniformly distributed on 0 < 4 <D max’ 

the duration D T is D T = D x U. 

T T max 

DETERMINATION OF THE OCCURRENCE TIME OF THE FAULTS ACCORDING TO A 

BURST DISTRIBUTION FUNCTION 

The occurrence time and duration of the bursts is determined as 
described above for faults having a Poisson distribution function. Then, 
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for each burst, the occurrence time and duration of the transients are 
determined. 

SUMMARY OF FAULT-GENERATION POSSIBILITIES 

From the above discussion, it can be seen that there are a number of 
fault-generation possibilities that can be used in the simulator. With respect 
to permanent faults, the standard fault generator is one that generates faults 
according to a Poisson distribution function. However, as a result of tele- 
presence of the uniform distribution random number generator, it is possible 
to use other distributions that are expressible analytically. For transient 
faults of the non-burst variety, the occurrence rate and the duration are 
modeled and each of these may conform to either a Poisson or another distribution. 
Burst faults are characterized by four parameters, i.e., the burst-packet occur- 
rence rate, the burst-packet duration, the fault occurrence rate within the 
burst packet, and the duration of the individual faults. Each of these rate 
durations can be modeled using either Poisson or other distributions. 
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FIGURE 5. 3-3 GENERATION OF THE OCCURRENCE OF THE FAULTS 

IN ONE MODULE (POISSON DISTRIBUTION) 
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5.4 


SIMULATION OF FLIGHT-CRITICAL BUS SUBSYSTEM 


5.4.1 GLOBAL APPROACH TO FOB MODELING 

For survivability assessment purposes, the Shuttle Data Processing 
Subsystem was partitioned into seven independent equipment groups, as follows: 
the five general-purpose computers (GPC); the flight-critical buses and con- 
nected equipment (FCB); the two mass memory units and their buses (MM); the 
display equipment and their buses (DIS); the payload operations equipment and 
buses (PLO); the launch related equipment and buses (LE); and the flight in- 
struments and buses (FI).* The input-output partition (1-0) includes all of 
the above equipment groups except the GPC partition. 

The diagram on the opposite page shows the layout of the flight criti- 
cal bus partition which is the most complicated input-output equipment group. 

The eight flight-critical buses, FC1 - FC8, are interfaced with all GPCs. Each 
dedicated display unit (DDU) is interfaced with three buses by means of three 
redundant ports. The flight- forward MDMs are each interfaced with two buses by 
means of a primary port and a secondary port. If the electronics associated 
with a primary port fails, the backup port is switched in. Each interface unit 
(MDM or DDU) controls several dedicated and/or non-dedicated devices (non- 
dedicated devices are shaded and can be accessed through more than one MDM). 
These devices are redundant (e.g., ACCEL V, ACCEL2, and ACCEL3 perform identi- 
cal functions), thus one of them can fail without causing a system failure. 

The 1-0 partition simulation modeling is different from the GPC parti- 
tion simulation modeling, in that the state of the 1-0 partition is represented 
by a set of tables rather than a procedure as for the GPC partition. This 
method was chosen because the 1-0 partition requires many more states than the 
GPC partition, and the simulation of a particular 1-0 state is much simpler 
than the simulation of a GPC state since no software considerations need be 
taken into* account. 

The behavior of each equipment group in the 1-0 partition is represented 
by several tables and a procedures. The tables define the current state of the 
system; i.e., the partition status, the device interconnections, and the par- 
tition's recovery capabilities. The procedures define the fault-induced system 
action, the resulting table modifications (i.e., state transition), and the 


*See Section 4.1 for an explanation of the DPS partitioning. 
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successful ness of the recovery. Both the built-in test equipment and the redun- 
dancy management software are factored into the implementation of these pro- 
cedures 3 since they define fault detection, isolation, and recovery success 
probabilities. The next topic discusses the simulator representation of the 
flight critical bus partition. 
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5". 4. 2 FCB SUBSYSTEM STATUS REPRESENTATION 

The status of the flight-critical -bus partition is represented in 
memory by a set of tables like the ones on the facing page. Table 5.4-1 indi- 
cates the interconnection between the flight-critical buses (FC1 - FC8) and the 
IUs (interface units, i.e., MDMs and DDUs). Table 5.4-1 I reflects the relation- 
ship between the flight- forward MDMs (MDMs FF1 - FF4) and the dedicated sensors 
and actuators. Additional tables relate the MDMs and DDUs to the other devices. 

A procedure is invoked to determine and record the effects of a fault in the 
flight-critical bus partition on the system. 

The interface between the flight-critical buses and the IUs is reflec- 
ted by Table 5.4-1 on the facing page. Each row corresponds to a flight- 
critical bus and each column corresponds to an IU. An elemervt that is indexed 
by a particular bus and IU (row and column) is assigned to a number according 
to the following scheme: 

0 — The bus does not have a functional interface with the IU. 

1 — The bus has an active interface with the IU. 

2 — The bus has a functional, but inactive, interface with the IU 

(i.e., this represents a secondary port). 

Thus from Table 5.4-1, it can be inferred that MDM FF1 is interfaced with flight- 
critical buses FC1 and FC5. FC1 is connected to the primary (active) port of 
MDM FF1 , and FC5 is connected to the secondary port. Note that each DDU has 
three active ports. Here it is assumed that display information is transmitted 
on buses FC1 - FC4, and the actual bus used by a DDU is selected by a manual 
switch on its control panel. 

The interface between MDMs FF1 - FF4 and the dedicated sensors and ac- 
tuators they control is indicated by Table 5. 4-1 1. Each row corresponds .to a 
flight-forward MDM, and each column corresponds to devices of a particular type. 
An element corresponding to a particular MDM and type of device has a value of 
"0" or "1" which indicate: 

0 — A functioning device of this type is not associated with the MDM. 

1 — A functioning device of this type is connected to the MDM. 

Thus Table 5.4-II .indicates three accelerometers with ACCEL! interfaced to MDM 
FF1 , ACCEL2 interfaced to MDM FF2 and ACCEL3 interfaced to MDM FF3. 
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5.4.3 ORGANIZATION OF FOB SIMULATION PROGRAM 

The effects of faults occurring in the flight critical bus partition 
is simulated by the subroutine FCBFLT, which is flowcharted in Figure 5.4-2. 

This routine first "'determines the fault location, and then calls the appropri- 
ate fault simulation routine. If the fault results in a safety-critical failure, 
then system failure is indicated. Otherwise, a status vector is set to indicate 
the loss of any functions that have an effect on GPC performance (e.g., the 
MTU). Control is then passed back to the calling program, FIFAU. 

The six FCB fault simulation routines are: BUSFLT for simulating the 
occurrence of a fault on a flight-critical bus, MDMFLT for simulating faults 
occurring in the flight-critical bus terminal units, and DDUFLT, DFFFLT, 

NFFFLT, and DFAFLT for simulating faults occurring in the device interfaces 
with the bus terminal units. Each routine has similar program logic. The 
status of the unit in which the simulated fault occurred is first checked. If 
the unit has already failed, the fault is ignored and control passes back to 
FCBFLT. Otherwise, the fault counter is incremented and control /is passed the 
appropriate program segment determined by the fault type. 

If the fault is transient, the transient- fault counters are first in- 
cremented and then transient recovery is simulated. If the fault corrupts data 
and is undetected, it is assumed critical. If the fault disappears within a 
certain time period (the time required for transient recovery, i.e., a RETRY) 
and causes no permanent damage, transient recovery is assumed successful and 
control is returned to FCBFLT. Otherwise, the fault is handled as a permanent 
(it is assumed that FCOS mistakes the transient for a permanent and acts 
accordingly). 

Permanent faults result in replacement, or deletion with redundancy 
masking of the fault unit. If the unit is removed, all devices that depend upon 
it are also removed. Thus,- if one of the flight critical buses permanently 
fails, it is removed from the system (all I/O transactions requiring it are ter- 
minated). All bus terminal units using the faulty bus., switch to thei-r backup 
ports interfaced with other buses. If no backup ports are available to a BTU 
(Bus Terminal Unit), it is indicated as failed and thus removed from the sys- , 
tern. Thus, all devices connected to it can no longer function, and must be 
removed from the system. If the status now indicates that a necessary device 
is no longer available, a flight critical failure is indicated. 
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5.4.4 INTEGRATING FCB SIMULATION SUBROUTINES WITH THE MAIN PROGRAM 


The Input-Output fault simulation subroutines are integrated with the 
GPC simulation routines by means of the subroutine FIFAU, which is invoked for 
every simulated fault to determine how it is to be simulated. FIFAU distinguishes 
between three classes of faults. Those occurring in a GPC's CPU or Memory are 
simulated by the GPC state simulation subroutines. Faults occurring in one of 
the I/O equipment groups are simulated by the I/O simulation subroutines. Those 
faults appearing in the GPC's IOP are simulated by the GPC state-simulation 
routines or the I/O simulation-routines, or both depending on its impact. Most 
IOP faults result in a GPC failure, because the- IOP is needed as an interface 
to the I/O network; however, it is possible that an IOP fault could also disable 
a bus (e.g., a fault occurring in an IOP 1 s BCE could appear to be a bus fault, 
to FCOS, thereby resulting in bus replacement, effectively disabling the bus). 

The overall control sequence for the subroutine FIFAU is shown in Figure 
5.4-3. FIFAU first determines where the simulated fault occurs and jumps to the 
corresponding program segment (illustrated by DO CASE statement in Box 1 of the 
flowchart). If the simulated fault occurs in the CPU or Memory, the program 
sequence follows the CPU/memory branch (branch 2); if the fault occurs in the 
IOP, control follows branch 3; and if the fault occurs in the I/O network, con- 
trol follows branch 4 and executes the I/O simulation routines. Upon completion 

of the program segment, control returns to the statement following the DO CASE, 

/ 

and then returns to the calling program with two parameters IN and NEXT. IN 
indicates to the calling program if it is necessary to simulate GPC recovery 
for that fault. NEXT is set if a system failure has occurred as a result of 
an I/O fault. 

The CPU/Memory program segment first determines if the unit in which the 
simulated fault occurs has already failed. If it hasn't, then IN is set to indi- 
cate that simulation of GPC recovery is necessary, and control is returned to the 
calling program. If the GPC has already failed, the fault is ignored by setting 
IN to indicate that no GPC recovery-simulation is necessary. 

The IOP program segment determines the impact of the IOP fault on the 
bus and GPC. If the bus is impacted, a routine is invoked to simulate recovery, 
and then status indicators are set to indicate the resulting system status. If 
the CPU's capability for receiving correct data is affected, then IN is set to 
indicate that GPC recovery is still necessary, otherwise, the bus recovery 
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routine (e.g., switching the bus connected to a faulty BCE) is assumed to have 
corrected the fault, and IN is set to indicate that further processing for this 
fault is unnecessary. If access to critical devices were lost as a result of 
bus replacement, NEXT is set to indicate the occurrence of a safety critical 
failure. 

Program segment 4 first determines which equipment group the fault occurs 
in, and them invokes the appropriate simulation routine (e.g., if the fault occurs 
in the flight critical bus partition, the routine-FCBFLT is invoked). If a safety 
critical function was lost, NEXT is set to indicate such, otherwise, IN is set to 
indicate that no further simulation is necessary for this fault. 



FIGURE 5.4-3 FIFAU OVERALL CONTROL SEQUENCE 
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5.5 SIMULATOR UTILIZATION 

5.5.1 SIMULATOR INPUTS 

The inputs required by the simulator are summarized in Tables 5.5-1 
and 5.5-II. The detailed simulator input deck set-up is given in Appendix B.l. 
The use of some of these inputs is discussed below. 

The detection probabilities are the probabilities that a computer detects 
its own faults (except through diagnosis). This is not significant for N-M-R 
configurations (N > 3) since all faults are detected and located through voting 
or comparison. However, these probabilities become critical in duplex and 
simplex. In duplex, faults are detected through comparisons. However, BITE or 
self- test is needed to isolate the faulty computer. In simplex, BITE is 
necessary, since it provides the only means for detecting transient faults. 

For simplex operation the detection probability of CPU faults is low. 
Faults in the CPU usually cause only a wrong output which will not be detected 
by BITE. However some will be detected. Those are the ones which cause a for- 
bidden address to be computed or those which modify the computing' sequence in 
such a manner that a go/no-go counter detects them. IBM estimates this detec- 
tion probability to be about 35%. 

The main technique to detect a memory fault is parity encoding. When 
it exists, the probability of detecting a memory fault is usually better than 
80%. When it does not exist, this probability is quite small. 

Self-test programs (diagnosis) are run in a duplex system where a fault 
has been detected but not isolated. Note that if the fault is transient, the 
self-test will probably not diagnose it, since it usually dissipates before the 
test is run. 

If the configuration includes some additional hardware for the Input- 
Output Processor, the consequence of faults in this hardware has to be assessed. 
We partitioned the configurations in two classes. In the first class (dedicated 
IOPs), we assume that a fault in the IOP is equivalent to a fault in the computer 
and sometimes on the corresponding bus. In the second one (non-dedicated IOPs), 
we assume that IOPs are- independent from the computers. The system can work as 
long as one computer and one IOP are good. Note that the dedicated case includes 
software TMR. 

In the present simulator, the recovery procedure for a NMR system is 

s 

the state vector transfer. Memory copy is optional. 
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TABLE 5.5-1 • REQUIRED SIMULATOR INPUTS - GPC PARTITION 


NUMBER OF SIMULATED MISSIONS 
MISSION DEPENDENT PARAMETER 
Mission Time 

MACHINE DEPENDENT PARAMETERS 

Permanent Failure Rates 

BITE Detection Probability of a CPU Fault 

BITE Detection Probability of a Memory Fault 

Self-Test Program Efficiency 

Self-Test Program Duration 

CONFIGURATION-DEPENDENT PARAMETERS 

Number of Computers 
Number of Spares 

Dedicated/Non-Dedicated IOPs (Input-Output Processor) 

Probability that an IOP Fault Hits the Bus 

Number of Non-Dedicated IOPs 

Applicable Recovery Algorithms 

Recovery Algorithm Characteristics 

Duration 

Unacceptable Recurrence Interval 
Maximum Number of Rollbacks 
Program Integrity 
Memory-Copy Efficacy 

SCHEDULING PARAMETERS 

Iteration Period 
Time Between Comparisons 
Major and Minor Cycle Durations 
Asynchronous/Sunchronous Mecharii sm 

ENVIRONMENT DEPENDENT PARAMETERS 

Transient Failure Rates 
Transient Failure Duration 
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Once a recovery procedure has failed for a certain fault, it is useless 
to attempt to recover through the same procedure. Some other one has to be 
chosen. If after completion of a recovery procedure, a fault recurs in the 
same computer after a time less than the unacceptable recurrence interval, the 
system decides that the recovery procedure was unsuccessful and attempts some- 
thing else. Usually, the recurrence intervals will be chosen equal to the 
duration of one major cycle. The rationale is that the memory is thoroughly 
exercised in one major cycle. 

The Program Integrity is listed with the other recovery algorithm 
characteristics because a transient recovery algorithm not involving memory 
refresh cannot succeed when there is a program memory damage. Program integrity 
is strongly linked to the type of memory: an NDRO memory is much better in this 

respect than a DRO memory. The fact that there is no need to restore the infor- 
mation makes it very unlikely that a transient fault damages instructions or 
constants. In addition, in most NDRO applications, the write voltage for the 
program memory is disabled except when altering the program under AGE control. 

The memory copy-efficacy is the probability that a memory copy corrects 
a transient fault. The only reason why it should not succeed is that the tran- 
sient had hit the little (micro) program initiating the memory copy. This is 
very unlikely since this program should reside in a read only memory or micro- 
store. 

Table 5.5-II lists the required simulator inputs for the FCB partition. 
The redundancy and interconnections between FCB components are specified by five 
arrays. In general, an array element equal to one indicates that a connection 
between the devices, indicated by the row and column indices, exist, and a 
zero indicates the opposite. These matrices are described in more detail in 
Section 5.4. Device names, which are used for identifying components on the 
simulator listings, are specified in the input deck to allow more flexibility. 
Because of the large number of devices on the FCB bus, recovery characteristics' 
are specified by transient fault detectabilities, transient leakages and cover- 
ages, rather than by specific recovery procedures. Eighty-nine cards are 
needed to specify the FCB configuration and failure rates. 


REPRODUCIBILITY of the 
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TABLE 5.5-II REQUIRED SIMULATOR INPUTS - FOB PARTITION 


CONFIGURATION-DEPENDENT PARAMETERS 

• Number of I/O Devices 

• Redundancy of I/O Devices 

• Interconnections Between I/O Devices 

DEVICE DEPENDENT PARAMETERS 

• Device Identification Names 

• Transient Fault Detectabilities 

• Transient Fault Leakages 

• Fault Coverages 


FAULT ENVIRONMENT 

• Permanent Failure Rates 

• Transient Failure Rates 
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5.5.2 OBTAINING SIMULATOR INPUT PARAMETERS 


An important point in the application of CAST to the shuttle data 
processing subsystem is the determination of simulator input parameters. 

There are several methods for obtaining them if their values are not obvious: 
Failure rates and built in test detection probabilities are usually obtained 
from the manufacturer. Parameters affecting transient fault recovery such 
as the PROGRAM INTEGRITY or transient leakages can be determined by engineer- 
ing analysis or by logic level simulation. 

Parameters that couldn't be obtained from the manufacturers were esti- 
mated by an engineering analysis. One of the required simulator inputs is 
called program integrity (PI). This simulator input is the probability that 
a transient fault in the GPC memory does not alter a program word. 

We use a "top-down" approach by subdividing the GPC memory into func- 
tional components and then in turn further partitioning these functional compo- 
nents. For each transient failure mode within a component we determine whether 
memory will 


• Always be corrupted, 

• Be corrupted only if the component is used, or 

• Never be corrupted. 


The expression for the program integrity can be written as one minus the 

probability that a transient fault alters a program word. Thus PI is written 
as 


PI = 1 


-E^Vij 


£n.£ 
i 3 



where: t.j is the rate of occurrence of transient failure mode j in component i, 

^ij 1S P r °bability that transient failure mode j in component i 
corrupts memory, and 


n. is the number of components of type i. 

The first partitioning of a 1 6 K - 2 1/2D core memory as found in the 
IBM-4 AP-101 basic configuration is shown in Figure 5.5-1. This partitioning 
divides the memory into the timing page and four storage pages. 
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FIGURE . 5. 5-} 


PARTITIONING THE AP-101 MEMORY 








Further partitioning continues as shown in Figure 5.5-2 for a storage 
page. We see from this partitioning that a transient in the output buffer will 
only corrupt the memory output, but a transient in the data register would 
surely corrupt memory during the restore cycle as well as the memory output. 

Consider the case of a Y-driver as shown in Figure 5.5-3. If a tran- 
sient strikes a powered Y-driver, then any Y-driver failure mode will corrupt 
memory during the read and/or restore cycle. The quantity 3 . - for a Y-driver 

* J 

then becomes the probability that it is selected while a transient is active. 

The Y-driver on the page has a 1/32 probability of being used, and for a 16K 
memory, the page of the driver of interest has a 50 percent probability of being 
used. If we assume program words are accessed every 3 ys, then the quantity 
3 .. for one Y-driver becomes 


e,, = i = Z(ff) n p ( Td=:3n vs) 

n=l 


where Td'is a discrete random variable representing transient duration. If we 
assume it is uniform from 3 us to 300 us at intervals of 3 us for ease of compu- 
tation, then 3 . becomes 
13 


100 


ij 


= 1 - 


V(63) n = 

n=l 


100 


.57 


Computing the b’s as above for the remaining functional components and finding 
the 3 - . 1 s as is done for permanent faults, program integrity is found to be .30. 
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5.5.3 INTERPRETATION OF SIMULATOR OUTPUT 

The simulation results are only meaningful when examined with the 
system configuration defined by the input deck. Thus, of the six pages of 
simulator output, four pages are devoted to describing the configurations of 
the software, GPCs, and flight critical devices. Figure 5.5-4 on the facing 
page shows a simulator produced summary of the GPC configuration for ‘the base- 
line simulator run. 

The top line (in this case "QUADRUPLEX") indicates the basic config- 
uration of the GPCs. In this case, "QUADRUPLEX" indicates that there are four 
GPCs, all of which perform identical operations and compare the results for 
fault detection and isolation. "TRIPLEX WITH 2 SPARES" would indicate that 
the redundant set consisted of three computers; but in addition, two spares are 
included that are either powered down or perform non-critical computations until 
a failure occurs in one of the redundant computers. A spare is then chosen to 
replace the faulty computer. The "TRIPLEX WITH 2 SPARES" configuration could 
be used for non-critical mission phases. The next two lines indicate that 
500,000 6-hour missions were simulated. 

The next section of output is headed by "TRANSIENT RECOVERY PROCEDURES." 
It lists the transient recovery procedures in use and their performance 
characteristics. The baseline system uses two transient recovery methods. 

"DELAY RECONFIGURATION" indicates that reconfiguration doesn't occur unless two 
faults within a specified time interval. Thus, transients causing data errors 
which are compensated by the control loop calculations after an iteration will 
not cause the loss of a computer. The DURATION indicates a 1.0 millisecond 
overhead to do this recovery procedure. The RECURRENCE INTERVAL indicates that 
if two faults occur in the same computer within a 1280 millisecond period, the 
second fault is assumed to be a recurrence of the first fault and will cause 
system degradation. An EFFECTIVENESS of 0.5 indicates that half of the tran- 
sient faults that do not cause damage to the program can be "corrected" (i.e., 
not cause unnecessary system degradation) by this procedure. A SYSTEM RESTART 
which is invoked because of multiple faults where the faulty computer cannot 
be isolated. One thousand milliseconds is required for a SYSTEM RESTART. 
MEMORY-COPY, ROLLAHEAD, AND ROLLBACK can also be incorporated into the system 
configuration as transient recovery procedures. If they are, they will be 
listed in this section along with their characteristics. 
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QUADRUPLE 

numrep of missions 500000 

MISSION DURATION 6.0000 HOURS 


TRANSIENT RECOVERY PROCEDURES 

DELAY PECONFIGURATTON 
DURATION 

RECURRENCE INTERVAL 
EFFECTIVENESS 

SYSTEM RESTART 

DURATION 10Q0.00 MILLISECONDS 


RECOVERY PARAMETERS 

PROGRAM SURVIVABILITY .100000 

PROBABILITY OF FAULT DETECTION BY BITE 
CENTRAL PROCESSOR .458 

MEMORY .981 

I/O PROCESSOR -0.000 

S TP EFFICIENCY . 919000 

MFAN DIAGNOSIS TIME 6.50 MILLISECONDS 

DELAY BEFORE RECOVERY 0.00 MILIISECONOS 

ISOLATION DURATION 0,00 MILLISECONDS 

SOFTWAPE PARAMETERS 
ITERATION PERIOD 
MINOR CYCLE DURATION 
MAJOR CYCLF DURATION 
TIME BETWEEN COMPARISONS 
MAYIMUM DOWN TIME 
MINOR CYCLE PROGRAM SIZE 
ASYNCHRONOUS EXECUTIVE - 

DEDICATED I/O PROCFSSORS 
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40.00 MILLISECONDS 
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40. 0Q MILLISECONOS 
1000.00 MILLISECONDS 
.500000 

INTERRUPT RATE 100.0 PEP SECOND 


1.00 MILLISECONOS 
1280.00 MILLISECONDS 
, 500000 
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"RECOVERY PARAMETERS" heads the next section of the GPC configuration 
summary. Here the program survivability, the BITE fault detection probabil- 
ities and the Self Test Program (STP) characteristics are listed. The PROGRAM 
SURVIVABILITY represents the probability that the program survives given that 
a memory transient occurs. Since the main memory is CORE DRO, every word read 
from memory must be re-written into memory by the hardware. Thus, if an error 
occurs during the read cycle of an instruction, it is written back into memory 
corrupting the program. This is reflected by a low value of program surviv- 
ability (0.1). According to the listing, BITE has a probability of 0.458 for 
detecting CPU faults and a probability of 0.981 for detecting memory faults. 
Negative zero indicates that the parameters was unspecified. The STP EFFICIENCY 
indicates that the probability of detecting a fault by means of a computer self 
test (software) is 0.919. If a computer is faulty, this fact will be detected 
in. an average duration of 6.5 milliseconds. The ISOLATION DURATION of zero 
indicates that once a fault is detected, its isolation of nearly immediate. 

DELAY BEFORE RECOVERY indicates the amount of time transient recovery is 
delayed in order to allow the transient to become inactive. In this case there 
is no delay. 

Under "SOFTWARE PARAMETERS" are listed the assumed values for the 
ITERATION PERIOD, the MINOR CYCLE DURATION, the MAJOR CYCLE DURATION, the TIME 
BETWEEN COMPARISONS, the MAXIMUM DOWN TIME, the relative MINOR CYCLE PROGRAM 
SIZE, the the type of executive structures. The ITERATION PERIOD, which spec- 
ifies the time between consecutive major control loop calculations, is assumed 
to be the same as the MINOR CYCLE DURATION, which is 40 milliseconds. The 
major cycle consists of 32 minor cycles and thus lasts 1280 milliseconds. It 
was assumed that there is one comparison every minor cycle; thus the TIME 
BETWEEN COMPARISONS is 40.00 milliseconds. The MINOR CYCLE PROGRAM SIZE indi- 
cates that half of the computer time is spent executing minor cycle calculations. 
The software structure is ASYNCHRONOUS with an average rate of a hundred inter- 
rupts per second. The system must recover in less than a second in order to 
avoid system failure. This is specified by the MAXIMUM DOWN TIME being 1000 
milliseconds. DEDICATED I/O PROCESSORS indicate that an input-output processor 
is dedicated to each of the computers. 
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Figure 5.5-5 lists the failure rates for each of the GPC devices. 
NOTATIONS defines what is meant by MODULE 1, MODULE 2 and MODULE 3. The impact 
of I/O processor faults represents the probability that an IOP fault affects 
the computer, a bus, or both the computer and a bus. Here it was assumed that 
all IOP faults affect the computer but not the bus. The DESCRIPTION OF THE 
FAULTY ENVIRONMENT lists the permanent failure rate, the transients failure 
rate and the average transient duration for each of the CPU, the IOP, and the 
memory . 


The failure rates of the devices for the flight critical bus partition 
are listed in Figure 5.5-6 which is Page 3 of the simulator output. The NET 
PERMANENT FAILURE RATE represents the total failure rate of all of the devices 
taking into account their redundancy. Thus, the ADTAs failure rate is included 
four times in the net failure rate calculation because there are four ADTA. All 
failure rates are listed in number of failures per million hours. The ADTA (Air 
Data Transducer) has a permanent failure rate of 250 failures per million hours. 
The MDMs and DDUs each have two 'permanent failure rates associated with them. 

The first number indicates the failure rate of the main body of the MDM and the 
second number indicates the failure rate of the redundant portion of the MDM 
associated with each FC bus interface. For the baseline run, all flight criti- 
cal device transient failure rates were assumed to be zero. This was done be- 
cause nearly all transient faults will not cause system degradation. The -0.00 
in each column indicates that the input was not specified. 
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Figure 5.5-7 illustrates the fourth page of simulator output. It lists 
the assumed transient leakages, permanent coverages, and fault detection prob- 
abilities for each of the devices in the flight critical bus partition. Two 
leakages and coverages are specified for the MDMs and DDUs. The first column 
represents the leakage/coverage for a fault occurring in the non-redundant 
portion of the 8TU. The second column represents the leakage/coverage for a 
fault cocurring in the redundant portion of the BTU. The DDU devices (i.e., 
AVVI, AMI, HSI and ADI) have two transient detection probabilities associated 
with them: the first number of the transient detectability when two devices are 
active. Similarly, the dedicated devices on the flight forward MDMs have four 
transient detectabilities associated with the probability of detecting a fault 
in when one, two three or four devices are active respectively. There are three 
permanent coverages for each device: the first is the probability of recovery 
from a permanent fault when two devices are active; the second is the coverage 
when three devices are active; and the third is the coverage when four devices 
are active. 
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Figure 5.5-8 shows the first page of output statistics that was gener- 
ated by the simulator. The top four lines indicate the number of faults that 
occur in the entire system including both the GPC partition and the FCB parti- 
tion. In this case, a total of 53,595 faults occurred during the simulation 
of 500,000 missions. Only 35 system failures occurred as a result of all of 
these faults. 

The next section which is headed by "GPC FAULT AND RECOVERY STATISTICS 1 ' 
lists several statistics for each state of the configuration (i.e., for quadru- 
plex, residue triplex, residue duplex, and residue simplex). The columns headed 
"PERMANENT FAULTS," "TRANSIENT FAULTS," and "TOTAL FAULTS" list the number of 
faults that occur for each of the GPC configurations. The "SYSTEM FAILURES" 
column lists the number of flight-critical failures that occurred for each GPC 
configuration. The number of transients resulting in system degradation are 
listed in the column entitled "LEAKY TRANSIENTS." The "DEGRADATIONS TO" column 
lists the number of times the configuration degraded to each- GPC' redundancy 
level as because of a fault. Thus, while the GPCs were in the initial con- 
figuration (quadruplex), they sustained 11,546 permanent GPC faults and 11,752 
transient faults. Of the 11,752 transient faults, 8,179 of them resulted in 
system degradation. Thus there were 8,179 + 11,546 = 19,725 system degradations 
from quadruplex. By examining the "DEGRADATIONS TO" column, it can be seen 
that all degradations from quadruplex were to triplex. For this calculation, 
it was assumed that all 8,179 leaky transients and 11,546 permanents resulted 
in system degradation. The GPC recovery procedure statistics list the number 
of times each of the transient recovery procedures was invoked. 

The estimated mission failure probability, transient leakages, and 
coverages all have a confidence interval associated with them. The mission 
success probability is calculated by finding the ratio of the number of system 
failures to the total number of missions. The simulation statistics indicate 
that the mission failure probability is 0.000072 ± 0.000024. This indicates 
that the system failure probability falls between 4.8x10"^ and 9.6xl0~ 5 with a 
95% confidence. This is not the exact confidence interval, but a close esti- 
mate that assumes a large number of tries (see [FREU 62] for details). 
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Figure 5.5-9 shows the mission statistics generated for the FCB parti- 
tion. The number of flight-critical failures indicates that 35 system failures 
occurred because of faults in the FCB partition. Of these, six occurred 
because of uncovered faults (i.e., faults that were not detected), and twenty- 
eight occurred because of faults that were detected, but not covered. The 
latter number was obtained by adding the number in the "UNCOVERED PERMANENTS" 
column. For each device, the number of transients, permanents, leaky transients, 
and uncovered, permanents are listed. Here, the number of transients and leaky 
transients for each device is zero, because the transient failure rate was as- 
sumed to be zero. The number of permanent faults and system failures occurring 
in a specific device type are listed in the appropriate row. Thus, 9,027 faults 
occurred in the TACANs, and there were 13 system failures because of inadequate 
TACAN coverage or TACAN redundancy. 
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FL TGHT CRITICAL (MIS PARTITION MISSION STATISTICS 
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6.0 DPS SURVIVABILITY ESTIMATES 

6.1 BASELINE PARAMETER APPROACH 

In order to make mission success probability calculations using the 
analytic models described in Section 4 and the simulation models described in 
Section 5, it is necessary to obtain values for the various parameters required 
in these models. The approach taken was to obtain a baseline set of parameters 
and then vary these parameters to reflect the .several options investigated. 
Because the Shuttle ALT configuration has been approved through the various 
design reviews and is in the process of being brought into being, this configu- 
ration was chosen as the baseline from which variations would be made. 

The parameter values used for the baseline configuration were obtained 
using four different approaches. These are: (1) contractor's direct estimate; 

(2) NASA estimate; (3) Ultrasystems direct estimate; and (4) Ultrasystems 
estimate. One might wonder why approach 1, contractor's direct estimate, was not 
used for all parameter determinations. It was not used beacuse MTTF, or its 
reciprocal, the failure rate, was not required for each unit. However, there 
were contractors who had supplied this information and thus where available. It 
was used. The adjective "direct" is used to indicate that the estimate was 
obtained by a detailed analysis, e.g., use of individual part failure rates when 
estimating an overall unit failure rate. Estimates not labelled "direct" were 
obtained by comparison of comparable equipment. All contractor direct estimates 
and NASA estimates were obtained from the Project Monitor for this contract. 
Ultrasystems direct estimates were made for corroborative purposes for selected 
units. Ultrasystems estimates (non-direct) were made where other estimates were 
not obtainable. 

The two primary categories of parameters for which estimates were 
obtained were unit permanent, failure rates, and unit self-test program effec- 
tiveness. Where unit permanent failure rates were not available from either 
contractor direct estimates or NASA estimates, Ultrasystems estimated the values 
using the assumption that equipments that were mechanized using similar tech- 
nologies would have failure rates that are proportional to weight. It is 
thought that this is a reasonable assumption. All estimates of unit self-test 
program effectiveness were from contractor direct estimates. 

A computer listing of the baseline parameters is shown in Figure 6.1-1. 
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.7030000 

ce mom 

2 

.9990CC3 

.9500000 

1. 00C0003 

o.oooooao 

FF MG'* 

3 

.9990000 

1.0000000 

l.OQOCGGQ 

o.oooooao 

FF «OM 

4 

.9990000 

1.0300000 

1.00CC00Q 

0.0000000 

ACT A 

2 

.9993000 

.9500000 

1. OOOOOCO 

0.0000000 

AOTA 

3 

. 99900G0 

1.0000000 

l.ooooaoo 

0.0000000 

AOT A 

4 

• 99900GQ 

l.OOQOCQE 

1.0000000 

C. 0000030 

ACCEL 

2 

,9990000 

.9530000 

1 . GQCC 030 

0.0000 000 

ACCEL 

3 

. 9990000 

1,0033000 

1.0000003 

0.0000000 

I M U 

2 

.9990000 

.9500000 

1.0000000 

0 . 000 0 GO 0 

I MU 

2 

.9990000 

1.0000000 

1 . 0003009 

G.QOOOOOO 

TACAN 

2 

.9900000 

.9530000 

1.0000000 

o.oooooao 

TACON 

7 

. 99900C0 

1.0030000 

1.3000060 

o.oaoc noo 

MS^ES 

2 

.9990030 

•9530GQG 

1.0003003 

a.auGoooo 

MS5LS 


,9990000 

1.0000000 

l.oooooao 

C.OOOOQOQ 

9HC 

2 

.9990000 

,9500000 

1.0000000 

a .0000000 

RHC. 

3 

.9 a 9QOGO 

1.0030000 

1.0000000 

0.CQGQ00G 

PPT A 

2 

.9990GC.0 

.9500000 

1.00CGQQ0 

o.oooooao 

R D T A 

3 

.9993000 

1.0000000 

1.0000000 

o.oooacoo 

SRTC 

2 

.999GQG0 

.9530000 

l.OOOCOOO 

o.oooooaa 

SSTC 

3 

.999C00O 

1.0030000 

1. 0000000 

0.0 000 coo 

Ffl MOM 

2 

. 9990 00 0 

,9500000 

1.0000000 

0. 0000000 

FA MOM 

7 

.9993003 

1.0330030 

l.ooooaoo 

0.0000 000 

fs mqm 

4 

0 9990 0’C 0 

1.0000000 

1.0000000 

0.0000000 

ASA 

2 

.9993000 

.9500000 

1 . 0000000 

0.0000000 

ASA 

3 

,9990000 

1.0030000 

1.00C0003 

0. OOOOOCO 

ASA 

4 

,9990033 

1,0030030 

l.OOOCOOO 

C.O0OO0QQ 

RGYRO 

2 

,9993000 

.9500000 

l.QOOOOOO 

0.0000 000 

RGYRO 

3 

.9990000 

1.000C0Q0 

i.CQCGOQO 

0.0000000 

OGU 

2 

.9990000 

.99900 C 0 

1.0C00000 

0.0000000 

AVVI 

2 

.9993003 

'.9900000 

l.'OOGOOOO 

0.0000030 

A/MI 

2 

.9R930oo 

.9990030 

l.ooooaoo 

0.0000000 

hst 

? 

0 “990 03 0 

.9990000 

l.ooooaoo 

0 • 0000 000 

BGT 

2 

0 9°93 0 C 0 

.9933000 

1.0000000 

0.0000000 

PCMMU 

2 

. 9990 0 T 0 

.9990000 

1.0000000 

O.OOOOGOO 

OF MOM 

2 

.9990000 

. 9990 0 Q G 

l.ooooaoo 

a.aooaaoQ 

OA «C1M 

2 

,9993000 

.9990000 

l.ooooaoo 

Q.GQ00000 
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6.2 BASELINE RESULTS 

The flight-critical -bus simulation and analytic model are cross-checked 
using the baseline parameter set as a basis on which to verify their accuracy. 
Agreement between these two approaches means that the modeling approach dis- 
cussed in Section 4.4 is a valid approximation. For the baseline parameter 
set, the forward flight-critical -bus analytic model predicts a survivability 
of .9999423 while the simulator yields a result of .9999437. Thus they differ 
by only 14 parts in 10^. These results certainly agree within the accuracy of 
the Monte Carlo simulation. 

The survivability results for the baseline configuration are given in 
the listings that follow. In these listings, survivability and failure proba- 
bility versus mission times from one to twenty hours is given for each parti- 
tion and flight critical device. (Failure probability is the converse of sur- 
vivability, i.e. FP(T) = 1 - S(T).) There are twenty-seven printout pages in 
all. 

There are several interesting features of these results that are sum- 
marized on the opposite page. The GPC set, with a detectability of 1, has a 
failure probability two orders of magnitude better than the TACAN set, with a 
detectability of .999, the design goal. The GPC and TACAN have similar failure 
rates. Variations of detectability will be studied in a later section. 

The TACAN and MSBLS, with relatively high failure rates, account for 
57% of the forward flight critical failure probability. The hand controls add 
only a miniscule amount to the total failure probability. The forward flight 
critical MDM system contributes 71.6% of the total safety-critical failure 
probability, a very significant amount that is primarily due to the large TACAN 
and MSBLS failure rates. 

The aft flight critical MDM system partition, the flight displays, and 
the MCDS contribute a much smaller percentage to the overall safety critical 
failure probability, i.e. 11.1%, 11.8%, and 5,1%, respectively. The GPC contri- 
bution is a miniscule .4%. 

Mission critical functions are not as important in ALT as they are in 
orbital flights. About the only loss sustained would be some telemetry data. 
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SUMMARY OF SHUTTLE (ALT) AVIONICS SURVIVABILITIES 
FOR A SIX-HOUR MISSION 


Unit 

Failure 

Probability 

Percent 
of Total 
Safety 
Critical 

GPC 

3.5(10) ~ 7 

.4 

TACAN 

2.3(10)” 5 

N/A 

MSBLS 

I.O(IO)” 5 

N/A 

FWD FLIGHT CRITICAL 

5.80(10) -5 

71.6 

AFT FLIGHT CRITICAL 

9.0(10)" 6 

11.1 

FLIGHT DISPLAYS 

9.58(10)“® 

11.8 

MCDS 

4.1(10)' 6 

5.1 

SAFETY CRITICAL 

8,10(10)”® 

100.0 

MISSION CRITICAL 

1.4(10)“ 4 

N/A 
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REPRODUCIBILITY OF THE 
ORIGINAL PAGE IS POOR 


SURVIVABILITY ^0 D MODS 


MI Sf JON 
TIME ( WQURS) 


i . g c e o q 

2 . e C C G 0 0 
? . C G G 0 0 G 
L . 0 5 C 2 3 0 
5 .uCC3C3 
p . L *1 G : Q c 
7. GCCS 03 

n.cc c o o :■ 

9 . C 0 C 3 0 0 
i 0 . C 0 C 3 0 c 
ii.CC CHOC 
1 2 . 3 o c : o o 
1 3 , j e o. j o c 
14 . 0 0 ?'3 3 1 

15. CC 0 00G 

16. geo oca 

1 7 . a c r a c o 

1 8 . C S C : 3 c 

20.003333 


20NF ToUR AT ION 
SURVIVABILITY 


.0 99 990 
. ogggag 

. 999 9 a 8 
. 099907 
.999997 
. 999996 
.990995 
.999994 
. 9999 q 4 
, gaqaa 3 

. 9999 q 2 
.999992 
.999991 
. 999990 
.9999*9 
.999989 
. Q 9995 8 
.999937 
.999986 
.999985 


FAILURE 

PROBABILITY 


, 6 6632 0 t -G 6 
.1339^2£-Q5 
.2G1915F-Q5 
. 2 7 J 55 7E- C 5 
.339895E-05 
.409922E-35 
• 48 0 6^65- G 5 
. 552S 71H-G 5 
. 6 2420 3E-0 5 
.597048-- 05 
.77361 IE-05 
.8 44 89° £-05 
.919916E-G5 
.995658 E-0 5 
»1G7216£-Qk 
. 11494 C E-G A 
. 122739E-G4 
. 13361^6-04 
. 138565E-04 
. 146593E-04 
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SURVIVALS ITY C 0 D r ,°C 


HISS 10 M 
TT 'IS f HOURS ) 


1 . 0 0 C 03 G 

2. 0 0 COO 3 
3.50200? 
4 . G 0 C 9 il J 

o . o o :• : : : 

n.GOSOj] 
7 . G G « 3 0 0 

8.000000 

9 . o o : o o o 

12 . 0 0 C 0 0 r 

1 1 . c c c z ' z 

1 2 . 0 Q C 3 3 3 

l’.eccc;*: 

1 L . o o : 3 tj G 
15.33CC0D 

1 6 . 0 3 G 3 9 C 
1 7 . c :• C 3 0 5 
12 . C □ f 0 *J 0 
1 9 , o •: c g i >:• 
?'C . 0 0 C 0 0 0 


CONFIGURATION 

SURVIVABILITY 


1 .CGOOOO 
1 .DOG OGO 
1.000000 
1 . u 0 0 G 0 0 
1 . C 0 0 Q G 0 
1 . COG 00 3 
.999999 
. 999999 
.999999 
, oaq qoa 

,999999 
.999997 
. 9999 c 6 
.999996 
. ogq 905 

. 999993 
. 9 999 q 2 
.999991 
• 0 999 q 9 
. q 99967 


FAILURE 

PROBABILITY 


. 165165E-08 
.1319786-07 
. 44493 oE-Q 7 
. 1G5336E-06 
. 20549 3E-06 
. 354674E--36 
.562545E-G6 
. 83872 6E-06 
.119279E— 35 
. 163426E-05 
.2172&1E-05 
. 2S1723E-05 
.357764E-G5 
.4463Q4F-35 
.543277E-05 

• 664 60 5E- 0 5 
, 7962 3 9E-0 5 

• 9 4400 3E- 0 5 
. 11339 GE-04 
. 129180E-Q4 
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asESsa 1 


SMPVIVa D ILI T Y C QR F c ><9M 


T c; T fl 

TIME (HOIPSJ 


1 . 

c c : 0 0 *■ 

2. 

0 0 l g i a 

3 . 

0 G R 0 0 0 

4 . 

OOCOOO 

5. 

0 0 C 3 0 3 

6 . 

0 C l> 0 

7 . 

C C 0 Q 3 0 

3 . 

C C 0 3 J 0 

9 . 

Q D C G 0 0 

13 . 

0 C l. G 3 C 

11 . 

Q 0 n r, rj 

12 . 

C3C030 

1 3 . 

30 8 0-3 3 

14. 

GO GO 3 3 

15 . 

C n C 30 G 

1c . 

ft G C 3 3 u 

17. 

a -3 G GOG 

18. 

COCG-jG 

lo . 

c 5 : e q j 

20 . 

0 0 0 0 3 0 


CONFIGURATION 
SURV TV ABILITY 


, gqqgog 
.999908 
.999097 
.999996 
. 999999 
. ogggct* 

.999994 
. 999993 
.999992 
.099901 
.999990 
.999989 
.999988 
. 099087 
, Q 99986 
.990985 
.999984 
.999983 
.999983 
.999982 


FAILURE 

PROBABILITY 


. 919896E-96 
. 183960E-J5 
.2759116-05 
.367846E-05 
. 45 3765E -0 5 
. 5516? IE-05 
.64356AE-05 
. 7 7544 65-0 5 
.827319F-05 
. 91918 4E -05 
. 1G 110 4E-Q 4 
. 11-3 2906-04 

. 119475E—34 
. 1 2 8 6 5 9 E - 0 4 
.1373446-04 
.1470296-34 
. 155214E-04 
.16540 GE-Q 4 

.1745»6E-04 

.1837726-34 
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S'JPyiV'lPILITY FOP ADT a 


MISSION 
T I Me {HOUR’S ) 


i . e o : i o o 
2 . 3 0 0 3 0 G 
i.zzcm 

k . C 1 j C 0 0 <3 

f , : c ■: j o * 
R . o c c G : c 

7 • u C J C j C 

a . c 3 c c a a 
q. go :■ jc : 
i >:• . Q G G ] o c 

11. C’OOC- 

1 2 . : ' r n j 0 
13.00C33 3 

1 4 . c g n : a ; 
1 5 . 3 0 G 3 0 C 
lo«G lOOuj 

i7.ocoo:c 
1 ? . GOG 30 0 
19.CCCT3u 

2 " . 3 C G 0 n 0 


COMF I OUR A TIO M 
SURVIVABILITY 


. 999999 
.999999 
.999997 
. 9999^6 
■ . 999999 
.999994 
.9999^3 
.999992 

, nqgga j _ 

. 999 9° 0 
.999939 
.999933 

.gqq0P7 

. ° 9 9 9 3 6 
. 9 9 9 9 p 5 
. Q 9998 4 
. Q9993 7 
.999932 
. 999981 
.999930 


FAILURE 

PROBABILITY 


.999373E-Q6 
.199952E-05 
.299896E-G5 
. 399819E-35 
. 499 72 6E-05 
.593616E-G5 
• &99493E-G 5 
.79935 8 £-0 5 
.899214F-C5 
.99905 1E-G5 
. 13989 0E- 04 
' . 1 1987 4E-04 
. 129857E-G4 
. 139841E-04 
. 14 382 ^E-0 k 
.159808E-04 
.16979 3E -04 
. 17977 8'E-3 4 
.18976 4 E-G4 
. i 99752E-94 
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T?EPKODBCIBILffi r OF THE 
oKal PAGE IS POOR 


SURVIVABILITY P 0R ACC C L 


MISSION 
TTMF (HOURS) 


1. 200330 
2 . oooqgc 
7*000330 
« . 0 i] C 0 0 3 

5 . C 0 u j 3 0 

6 . a 0 0 3 3 0 

7 . Q C C 3 j Q 
a . e o o i j o 
O . 0 C 0 0 3 1 

13 ■ 3 ii 3 0 u j 
11.000033 
12.00CG03 

15. 0 GO 3 3D 
lk. DGCOO j 
15. 0000 UC 
15.000-303 
17.03000° 
1 a , j 0 0 C Q 0 
19.000320 

20.000000 


CONFIGURATION 

SURVIVABILITY 


1 .030003 
. 999099 
, 9 oqgqg 
.999999 

.999998 
.999998 
.999998 
.9999^7 
. 999997 
. 999 QQ 7 
.999998 
.999998 
. a 99 995 
.999 Q 95 
.999995 
.999994 
. 99999k 
. 9999 G 3 
.999991 
.999993 


FAILURE 

PROBABILITY 


. 331794E-G6 
. 68718 3 £-0 6 
. 103 61 6E-C5 
. 1 34875E-G5 
.169495E-G5 
.20 4476E-05 
. 2 3981 3 E- G 5 
. 275524E-05 
. 3 1159 2E-G 5 
. 3 43 02 5E-Q5 
. 3 8482 1 E- 0 5 
. 4219a 2£-05 
. 4 5 9 5 3 .8 E - 0 5 
.4974J1E-05 
. 535559 E -05 
. 57 423 5E-0 5 
.61327, 3£-05 
.6526395-35 
. 692369E-Q5 
.7 32458E-Q5 
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SURVIVABILITY r 0 R I '■'U 


mist TOM 

TIME ( HOUR?) 


CONFIGURATION f a ilu °e 

SUR'/IVA-3ILI T Y PROBABILITY 


t . 3 o c j o r 

.990999 

.87313SE-06 

2 . 0 C C j 1 C 

.999993 

.1764625-05 

7. C 0C 000 

. 999997 

. 268 35AE-G5 

t , 3 J n 0 3 0 

.999996 

. 362699E-0 5 

jO 

. 9999°5 

.4595385-05 

6 . C 3 :■ 0 j 0 

.099904 

•558791E-C5 

7 . C 3 G 0 0 C 

.999993 

.560 55 6E - 3 5 

8 . 0 £ C 3 O j 

,990902 

.7648135-05 

9 . 0 0 G 0 3 0 

. 999991 

.3715735-05 

1C.GSCCJC 

.999990 

.9808^55-05 

11.C5G33 C 

. 9 Q 9939 

.1032645-04 

12.CCC000 

, Q 99988 

. 1236965-04 

i 3 . G 9 C 3 0 C 

. 999087 

.1 323 3 3F-94 

j a , o c >: o 3 c 

.999935 

.144324E-G4 

i 5 . 3 C 0 : 3 c 

.999984 

.i'565?25-C4 

IS.CQCjJI 

,999083 

.1689755-34 

17.030308 

.999982 

. 1816385-04 

1 8 . 0 n C C } 3 

.999981 

.1946595-04 

1°. 3 3-: 0 3-1 

.999379 

. 20789 0E-C4 

2 0 , G P C 3 j ; 

.999978 

. 2 21 38 -0 4 
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T?BPSODUCIBItIK OF THE 
oSgwal page is fooe 


SURVIVABILITY FOP TACAN 


MISSION' 
TIME (HOURS) 


CONFIGURATION failure 

SURVIVABILITY PROBABILITY 


1.0CC3J0 
? . 3 0 G 0 3 0 
T . 0 5 C 0 3 f< 
4.00CQK 

b.ccccc: 

B.’JGjjGC 

7. C0CJCC 

8. Q1000C 
° . J U C b 0 g 

1C* 3 0 u 0 0 0 
1 1 « luL jOC 

l?. oo me 
is , c:gojc 
lA.oncoc 3 
IS. 00*030 
lft. 000333 
17.G0CGOC 
10. 3 2C 0 3 : 
19.030000 
2C.00C30G 


.999997 
.9999^3 
. 99999C 
. 999936 
.999981 
.999977 
.999972 

. aggqr-,5 

. 99996 C 
.999954 
.999948 
. 9 Q 9 94 1 
.999934 
. 999927 
.999919 
. 999911 
.999903 
. 999894 
.999885 
.999875 


. 314839E-05 
.659835E-05 
. 10 3525E-04 
. 1 44 1 55 E- 0 4 
.187915E-04 
. 2 34844E-G 4 
.28498 3E-G4 
. 33 3 37 2E- 0 4 
. 395G 52E-3 4 
.4550615-04 
. 513 439E-Q 4 
.585224E-04 
.655456E'"Q4 
.729171E-04 
.808413E-Q4 
.887214E-Q4 
.971613F-D4 
. 1Q5965E-D3 
. 115136E-0 3 
. 124678E-03 



SUP'Jiy i p ILI T y p 0 F MS9LS 


MISSION 
TIME ( H n UR5) 


1 . j C : O n y 
2 . G 0 C C 0 0 
- . C3GGJC* 
c. 0 □ C G 0 " 
E . 0 J C 3 J : 
6 .0 00 33 0 
7.0000^0 
a . 3 1 C 0 0 0 

9 . c c 3 >: o 

10 . CSC 30 3 

11. CCCG3 : 

12.000 03 ' 
i7.o:co:g 
It*. 0 3' 33 3 
iE.CaQQPC 
19 . GOO 30 a 

1 7 . 0 c 3 r ’ 0 c 

18.00:303 
19.0QG30 : 
2 0 . C OCQC'O 


CGfFIGUPsQ r ION 

SURViyARILITY 


.999998 
.999997 
. aggqq5 

.999992 
• 99999Q 
. 999 Q 88 
.999986 
. Q 9 9 9 3 3 
.999981 
» 9 Q 9979 
. 999977 
. =*99 97 4 
. 9999 7 2 
. Q 99999 
. 999^65 
. 993053 

.qggq^Q 

.999958 

.999954 


F4tUJ°E 

PR0043ILTTY 


. 153714E-G5 

, 314889F-Q5 

.4885795-05 
.55 9335E-05 
. 8457995-05 
.1035255-04 
.1234525-04 
. 14^1555-04 
. 1636415-04 
. 137915E-Q4 
. 2139^CE-34 
.23484t-£-Q<* 
.2595' 5 9F-G4 
,2349835-04 
. 311269P-04 
.3303725-04 
.3662985-04 
. 3950525-04 
.4246385-04 
.4550615-04 
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SURVIVABILITY FOP ° HC 


"'ISSION 
TIME (HOUPS) 


1 . 0 C G 0 0 0 
2.0CC00O 
3.S0CC9C 

4 . 0 C C 0 0 3 
5. COG DOC 

6 . 0 C 0 D 3 3 
7.CCCG00 
3 . C 0 0 C 0 3 
p.ccrjoo 

1C. COCO GO 

ii.occcdo 
12.0001330 
j 3 . 0 C C'J3 *3 Q 
14.000010 

1 3 . o o c oco 
16 . 0CC000 
17.0CCC3Q 
I^.OGuOjG 
19. GO coca 
2C.goc;go 


CONFIGURATION 

SURVIVABILITY 


1 .GGOGCC 
1. GOO 00 0 
1.000300 
1.000300 
1 . 0 G 0 C 0 0 
1.C00G0G 

1 . 0 DC DO 0 

1.000000 
1.303000 
1. Q0C3C0 
1 . OOOCGO 
i . 0 0 G 0 0 0 

l.cooroo 

1. OOOCGO 

i . g o i o o a 
1 . 20000 0 
1.093000 
1 . 0 0 0 0 C 3 
1 . 0 0 0 0 G 9 
1.009GGQ 


FAILURE 

PROBABILITY 


.6 03 Q63E-G8 
. 12JG24E-07 
.13J0B3E-97 
.243095E-97 
.300 14 8 E- 9 7 
. 3 63 214E-07 
.42029QE-G7 
.48J380E-G7 
.54 J48DE-07 
. 6 3 3 59 3E- 0 7 
.653 7 17F-Q7 
.72J854E-07 
.781G02E-37 
. 8 4i 16 2 E- 0 7 
.9G1374E-G7 
.961518E-G7 
. lOBl^lE-OF 
. 1G3192E-06 
.11421 4E-06 
. 123237E-06 
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SUPV I V ft 8TL T"*Y FOP °f T S 


MISSION 

TIHE(H0U°S) 


1 . 0 C 0 03 G 

2 • LbuOwij 
?. 000*00 
4. 0 0 0 3 C C 
5.000090 
ft . G C 2 Z Q j 
7. 03 COG j 
P . 3 0 G 3 3 0 
°. C *3000 2 

1 3 . o e c o o c 

1 1 . G 0 0 3 0 G 

12.000000 

11. GCGOj j 
14.090300 
15.00003’: 
i 6 * 0 u 0 v 0 C 
17.00303'.' 
1R.3CC 00 0 
1 ° . 0 G C 0 J u 
2C.0CGC00 


CONFIGURATION 

SURVIVABILITY 


1. G0Q3G0 

1.000 00 c 

1 . G 0 0 0 0 3 
1 .300000 
1 . C 0 0 0 0 G 
1 . OG J CO C 
1 . G 0 u 0 0 0 
1 . 300 OC 0 
1 . 0 Q C 0 0 G 
1.300000 
1 . GOG 002 
1 .000030 
1.3G00G0 
1. 0 03 3C0 
1 .300000 
1 . G 0 0 0 0 2 
1. 0 BO 0 0 0 
i.OGJOCG 
1 .003030 
1 .COOCOQ 


F A ILUR r 
PROBABILITY 


,6 fl'J Q63E-0B 
. 121024E-Q7 
. 183353E-07 
.243C95E-37 
.SG3143E-G7 
.7632145-07 
. 42 3 29 3E- 0 7 
.483 33 3E-0.7 
•5434SCE-G7 
.603593E-07 
. 6&J 71 7E-07 
. 72035 4E-07 
.7810 32E-C7 
.841162E-07 
,90133£tE-0 7 
.96151*5-07 
, 102171E-J6 
. 108192E-06 
.114214E-C6 
. 120237E-G6 
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REPRODUCIBILITY OF THE 
ORIGINAL PAGE IS POOR 


SU C V IV A? XL TTY FQ 9 S">Tn 


m I 5 S 1 0 M 
TIHE (HOURS) 


1.303303 

2 . C Q 0 ‘3 0 3 

3 . C 0 0 <3 0 ? 
4.-3 03 30 : 
5. 0 00 3*3 0 
F, . 3 0 0 3 3 C 
7 . 3 C 0 0 3 0 

3.-300:33 

9.333000 
1 *3 • u 0 \j 'j 0 0 
11.033333 
12.000)3? 
1 3 . G 3 3 3.3 3 
14.C0C33C 
15 . 001 : o o o 
1c .GQC0G0 

1 7 . 0 0 r : 3 3 
1S.0GC3G0 
19.0GCQ30 

20. 000000 


CONFIGURATION 

survivability 


1 .000000 
1 . 0 C 0 3 0 0 
1 . G00G3G 
1 . CQOCCO 

1 .000003 
1 . 0 0 0 G C 0 
i. 0 03 0 CO 
1.0C03J3 
1 . G 0 3 0 0 3 
1 . G 0 0 0 C 0 
1. POO 030 

1. 000003 

i . c o o j <: o 

i . 0 0 3 G u Q 
1 . G 0 C 0 0 0 
1 . C* 0 3 0 0 C 
1.003033 
1 . 0 QO QC C 
1 . 0 Q 0 0 C 0 
i.QOOQOG 


F AILU°E 
PROBABILITY 


.60GQ63E-08 
. 120024E-07 
.180353E-07 
. 240 G9 5E-Q7 
.3G3148E— 37 
. 363214F-07 
. 423 290F-G7 
. 483380 E- 07 
.540480E-Q7 
.633593E-G7 
.660 7 17E-07 
•72J854E-37 
.7 81002E-07 
.8411628-07 
.9D1334E-07 
. 961 51 2 E- 0 7 
.1G2171E-06 
. 108 192 E- 06 
.114214F-06 
. 123237E-06 
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S 1 } ° V I V 'i " > TL ITY FOR “6 HO M 


il SF T'^N 
TIME(H n U^?) 


COMF1 GUP AT ION FAILURE 

SURVIVABILITY P°0BA8ILITY 


1 . C G ■: 0 G n 

.999999 

. 879935E-06 

? . 0 C G G 0 n 

.999993 

.175953E-05 

F.GGCldG 

.999997 

. 263918 1 - 3 5 

u . 0 G C 0 1 0 

.999999 

,3518537-05 

5.0GC300 

, 999996 

. 439 7? 4F-0 5 

c . c c :■ 3 : a 

.999995 

.5276975-05 

7 . 0 G ri 3 0 0 

.999994 

.6155932-15 

ft . o y n 3 ■: 

. 999993 

.7 0 3438E-05 

9 .GGC 1 QC 

.99990? 

.791370 F-J 5 

1 0 . 0 0 C 2 0 2 

.999991 

. 879243E-05 

11. GOG 301 

,999940 

.96/11GF-Q5 

1 2 . c g e o :• g 

.099939 

. 1 0 549 7E -G 4 

13.030330 

.099939 

.114 28 3 F — g 4 

IA.GOCC’jC 

,090035 

.123G69E-04 

1 5 . G C o 0 3 G 

.999937 

.131854E-14 

16.30 0 0 0 G 

,999986 

.141639E-04 

1 7 . 0 r. o 0 3 j 

.999935 

. 149425E-04 

1 3 . C C u 3 G G 

.099984 

,1532115-04 

ic . 0 C C 3 0 ■' 

. 999937 

. 16S907E-34 

20.00033 0 

.999962 

. 17576 4E-C4 


6-16 



SU R V I V A n I L 1 7 Y FOP ASA 


MISSION 
TI M E (HOURS) 


1,300030 
2, OCGCOO 
3.000033 
^•jCuOO'j 

5 . a o ■: a o c 

6 . G 0 0 3 3 C 

7 . G 1 0 0 0 C 
0 . 0 0 G G : 3 0 
Q . 0 0 3 0 0 C 

11 .000030 
11.GCG330 
1 2 . 3 3 0 375 -3 
1 ■* . 3 0 C 03 C 
14 . ccc :o n 
15 . 00 : 00 : 

IF, GOGGOil 
17.000333 

i a . c g : a o 

1°. 003330 
2C.0CC330 


configuration 

SUR’/ 1 V A 3 IL IT Y 


1 . OQOOG 0 

.qggqog 

. 999999 
.999990 
. 999998 
.999993 
. 999 9 Q 7 
.9999^7 
. 99°996 
, agqgofi 
.qggqcg 
.999995 
.999995 
.999994 
, 99°9 Q 4 
.999994 
,999993 
. 9999° 3 

. 9999^2 

.999992 


FATLUPF 

PROBABILITY 


.39993 0 £-0 6 
. 7 9992 1 E-G 6 
. 119982E-0 5 
. 1 59959 E-8 5 
. 199952E-05 
.233932E-G5 
.279909E-05 
.319882E-Q5 
.3598525-3 5 
.3993i a £-Q5 
.439784E-Q5 
. 479746E-G 5 
.51970 5E-0 5 
.559562^-05 
. 599 61 6 E-B 5 
. 6 39 56 9E - 0 5 
.679519E-C5 
. 71946 7E-05 
.75941^5-05 
.7993585-05 
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REPRODUCIBILITY OP THE 
ORIGINAL PAGE IS POOR 


SURVItfflPTLIT v FOR RGY°0 

CONFIGURATION FAIL’J C E 

SiJRV IV A9ILI T Y PROBABILITY 


M I ** S T n M 
TIME n j ou° c ) 


i . 3 3 c a g ■; 

i . oooono 

.20 J759E- 06 

2 . C (? C 3-0 C 

i . 3 0 0 0 1 0 

,AC28^9E-Q6 

3 . C C : 3 3 '* 

.999999 

,608239 C -G6 

. C 3 2 3 0 r - 

, qgqqaq 

.81 J962E-C6 

5 . C C 'I 3 <7 0 

.qqqqqq 

.1017015-05 

5 .GOG 31 2 

, q gq qo g 

. 12243 8 E-05 

7 . C 9 G 3 u 3 

, qggaqq 

.143303E-C5 

8 . C 0 G J J 0 

. 999993 

. 1643105-05 

0.0033?° 

. 999 Q 9 3 

. 185445E-05 

1 3 . 3 F G 8 0 r 

t agqqqa 

. 2Cn714E-3 5 

■» 1 . c : c a : : 

. 9 99 Q 9 8 

.223115E-35 

12.030003 

, ° 99 99 8 

. 2 4965 0 E - 0 5 

13.C0C933 

, R 99 99 7 

. 2 71318 E-05 

iu. 3 DC 00 0 

.qggqq? 

. 297119E-G5 

15.000330 

.999997 

. 315054E- 05 

If. .03000 0 

. 999 Q 97 

. 337123F-Q5 

17.GCC0 3 : 

. 999 9 a S 

. 3 59 326E-3 5 

18.000000 

.999996 

, 3816S2E-35 

19.0 03.00 0 

.999996 

.404133F-C6 

2 o . g o a fp e 

.999996 

• 426738 E-0 5 
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pttroducibility of the 

SSSSl PAGE IS POQ1 


S U P V I V A n T L I T Y POP QOU 


MISSION 

CONFIGURATION 

F4ILURF 

TTur ( H9ijoc } 

S URV I V A 3 1 L I T Y 

PROBABILITY 


1 .C C 0 3 0 3 

i. 000 000 

. 2 25361 E- 0 6 

2.0 GC 000 

1 . 0 0 0 0 0 G 

.45S8S8E-06 

v . OGCQG : 

.999999 

.6945175-06 

4 . u D v j 0 j 

.OQ9Q99 

.9333J9E-C6 

5 . 0 0 C 0 G J 

.999999 

.113 32 4E- G 5 

6 . 0 G : 0 0 J 

. 999909 

. 1444326-25 

7 . 0053 3 C 

.999993 

. 1736535-05 

« . G CO 33 1 

.999993 

.197438E-05 

9.000000 

.999993' 

. 2 249 3 7E- C5 

10. 0 00 coo 

.099997 

.2530 3CE-05 

1 1 . 0 0 C 0 J G 

.099997 

. 28 1 576 E- 0 5 

12.CC30G: 

. 999997 

.31396*5-05 

17.0CC002 

.999907 

.3408605-05 

1 A . C C 3 0 J \ 

.999906 

. 371335E-05 

15,005035 

. Q 99996 

.4G2514E-G5 

16. 00 C 30 C 

.099996 

.4342565-05 

17.G2ETuj 

.990995 

— .465611E-Q5 

18 .005590 

. 999995 

.4935305-05 

1 ° . j 0 Z ' 2 . 

. 999995 

.5331505-05 

? :■ . 0 3 0 3 0 ° 

.999994 

.567354E-35 
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SURVIVABILITY FCR AVVI 


MISSION 
TTM C (HOURS} 


1 . o : r o a c 

2. 0 3': oo c 
3 . 0 P : 0 0 C 

t.oG j ■: a o 

5,0QCu3 r 

6.03030? 

7. 0 03 00 C 

8.000000 
Q . 0 •"! Q 0 3 0 

+ n <- -> *- 

* u i ‘J Li G J J . 

11. OOP 2 0? 
i 2 . 0 3 L 0 3 G 
i * . G 0 0 3 3 3 
1 A . 3 0 g 3 a i 

15. 0 2 GO DO 

16 . 3 G C 0 3 0 

1 7. 3 3C03 n 

IS. D 3 0 0 G P 

19.0 01 CO" 
PC.00G3GG 


CONFIGURATION 

SURVIVABILITY 


1 . 3 0 C 0 1 3 
. 999999 
. 999099 
.999999 
. 999999 
.999998 
.^99993 
,9°9997 
, 999 Q 97 
.9999 c 6 
. 9999°6 
.999996 
. 099995 
.999995 
. 99999k 
.9999 c 4 
. 999993 
.9999°3 
.099992 
.999992 


FAILURE 

PROBABILITY 


.30 33V+E-Q6 
.623G78E-G6 
. 9591092-06 
. 1331706-05 
.165559 £-9 5 
.2020866-05 
.2397506-05 
.2785526-05 
.3184916-05 
,3595676-05 
.4017796-05 
.4451286-05 
.4896136-05 
.5352346-05 
.5819905-05 
.6298826-05 
.6789096-05 
.729070 E-C 5 
.7803676-05 
.9327976-05 
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SUFVIVaplLTTY J '/ W I 


TIME (HPURfl 


1 . 33 : 00 : 

2 . C C D 0 0 C 
3.00000? 
**■ . 3 0 C d 3 G 
5 . 0 o 3 T 3 : 
6 . 3 : G 0 3 0 
7 . 0 0 C 0 j 0 

3 • 9 0 C 3 0 0 

9 . C 0 ] 3 1 C 

1 C . 3 j C 0 3 0 
li .0 0 L‘ 0 0 C 
i ? . o o c o : n 

1 ~ . c o : 3 ■: G 
14, j?C03 J 
lF.COuDCr 
IE. 003030 
17.031:003 
1 3 . 0 3 C .3 3 3 
19.000300 

2 n . 0 0 G 0 C 0 


roMFIGURaUOM 
SURVI VA8 ILI T Y 


1.003300 

.999999 

,agoq Q q 

. 999993 
, a 9999* 
. 999 9 a 7 
.999997 
. 9999°6 
.999996 
. °99995 
, 399996 
. 9 9° 99 4 

•9999Q4 
,999 99 
.999902 
. ggaqa? 

,999991 

.999991 
.999990 
. a 99959 


FAILU°E 

PROBABILITY 


. 3 5 i 2 k-7 F- 06 
.779767F-C6 
.11955 ’’E -05 
. 1623555-05 
,207 832 C-0 5 
. 254634E-G5 
. 303139E-06 
. 353338E-G5 
.49323GE-05 
.453375E-35 
. 5142415-05 
.5713295-05 
.6331335-05 
.69O667E-05 
. 752917 E-C5 
. 3168 * 66-05 
.882574E-05 
.9^99815-05 
.1019115-04 
. 1 03995E-04 


6-21 



SURVIVABILITY C 0 R ^ST 


vise io m 
riMF ( mhu^s) 


1 . o c u :• j o 

2 . o o c ■: : o 

T . C 0 C 3 0 ■ n 
4 . C C C j C 0 
S.OOLOCO 
6 . C C 0 3 0 3 
7, COCO 30 

3 , o o n o o o 
° . o c o o o o 


X — » C X - J y i 

1 2 , 0 e G 0 0 n 

13.0 Of. GOG 
34.09C03 3 

1 5 . C 0 r C 3 .0 
16. GC CO 10 

17.000000 

18.000030 

19 .03 1 0 0 C 

2 c . a c c o o 


configuration 

SURV IVftSILITY 


1 . OOGO'OO 
1 .0 GO 00 0 
.qqqqqg 

.999999 
.999999 
.999999 
.999999 
.999999 
.999998 
.999998 
. 999 QQ 8 

. OgQQO ? 
. qgqqq.3 
.099997 
. 9 99 9°7 
.qoqqq? 
,099907 
.qqgqqy 
.999996 
.999998 


FAILURE 

PROBABILITY 


. 164773 E - Q 6 
. 332355 E - G 6 
. 5 G 4245 E -96 
.57 3944 E - G 6 
. 85595 G E -0 6 
. 10382 & E -05 
. 122238 E -05 
. 141081 E - 05 
. 1 & 320 AE -05 
. 1 7365 8 E- Q 5 
. 1 99443 E - Q 5 
. 219557 E -05 
. 2430036-05 
. 260 77 8 E -0 5 
. 281 385 E -05 
. 303321 E -05 
, 3 250 n 8 E-G 5 
. 347135 E -05 
. 369 & 12 E -05 
. 392369 £- 0 5 
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SUPVIV a n ILI T Y FOP flOI 


MISSION' 

TIMF(KOIRS) 


i.ecccoo 
'’.CGCOOQ 
T . C C C 9 0 0 
A . C C C 2 (] u 
3 . L C 0 3 I « 

6 . j q : a a : 

7 . c c : 3 ; c 

8, 0G00CC 
9 . <3 C 0 G 9 C 
30.303303 

1 1 . c o : a do 

1 2 . G C 0 3 0 9 
i 7 , G C* r ’ G 0 3 
i . o j : g i : 
15.GCG3QQ 
16.9C393C 

17. GDC3 n 0 

18 . GCC30 : 

19. Go: 33 J 
’C .00330 


PQNFIG LI RATION’ 
SURVIVABILITY 


1. OCOQOO 
i .rooooo 
.990990 
.999999 
.999999 
.999999 
. ggaqog 

.999998 
.999998 
.999997 
.999997 
. 9999°7 
.999997 
.999905 
.9999 Q 5 
. 999996 
.999905 
.999995 

.999905 

.999994 


FAILURE 

PROBABILITY 


. 229 060 E-06 
•464465E-3 6 
. 705214E-06 
. 9 54 306 E- 0 6 
. 1238 7 4E-05 
.146952E-05 
. 1 73 66 ?£- Q 5 
. 2 C1G08E- 05 

• 2 2 8 9 8 7 E - .3 5 
.25760 OE-U 5 
•286846E-05 
• 315726E-05 
•34723 a E-05 
•378385E-05 
.413165E-05 

• 442577E - 0 5 
. 475623E-05 
.539331E-G5 
. 5^351i£-C5 
.578 555E-0 5 
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S'JPV TV A °ILT T Y 


FOR PPM MU 


MISSION 
T I ME < H n U P E ) 


CONFIGURATION FAILURE 

SURVIVAL IL XT Y PROBABILITY 


l . o g *n o o 

,999996 

.419 42 3Z -3 5 

2 . g o c : j o 

.999990 

.9B4131E-G5 

3 . 3 0 C J 3 -J 

. °999 fl 3 

. 1636S9E-04 

4 . u L C -J J 

,999974 

.25561 3E-Q4 

f . ? o ^ c 

,999964 

.35S166E-G4 

e . 3 3 o •: 3 a 

. 990963 

. 4 71 29 6 E- 0 4 

7 . a G C J C 1 1 

.999940 

. 6 GO 968 E-G 4 

8 , G DC CO - ' 

. °99925 

.745147E- 34 

° . G 0 C 9 9 C 

.999910 

» 9 0 3795 F-0 4 

tc.ooroou 

.999092 ■ 

.1C7&97E-C3 

11 . G 0 C C 0 C 

.999374 

.1264343-03 

12 .GGC 10 G 

.999353 

. 146617E-03 

1 3 . G C •» 3 G 

.9993^2 

.163231E-Q3 

1 a , 1 p 3 3 L 

, 9 9 9 3 r * g 

.191274E-03 

l?.35CuC0 

.999734 

.' 215741 E- 03 

16. C CO 0 0 5 

.999733 

.241629E-07 

1 7 . o a c 

, 0997^1 

.263933E-G3 

1 * . u C o 3 3 Q 

.999772 

.29 7 651E-03 

1 9 . u C r 3 3 : 

.Q99S72 

.3277^85-03 

pn.GOCCCC 

, 999 Fi-1 

.359312E-03 
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^BODUCIBlLrrY OF THE 
^gXGlNAL PAGE IS POOR 


SURVIVABILITY F 0 P OF MOM 


MISSION 

COMF T r UR AT ION 

FAILURE 

TIMS (HOURS) 

SURVIVABILITY 

PROBABILITY 


1 . 3 C 5 3 J 9 

.999990 

.522O&2E-06 

2 . 0 D 3 G J 1 ] 

.999999 

.128853E-05 

3 . 000000 

, aqqoq 3 

.2C0C2BE-C5 

4 . 0 0 0 G Z P 

.999997 

.275643E-05 

5 . 0 0 C 2 G : 

.999996 

.355721E-85 

6 . C 0 : 0 2 V 

. 999 9 Q 6 

.44G252E-C5 

7 . G 0 8 3 3 3 

. 999995 

. 529264E-05 

8 « C 0 C 0 0 C 

.999904 

. 622725E-05 

? . c o o o o r 

.999993 

.723642E-05 

1G.G3C0C*J 

.999992 

.823015E-0 5 

1 1 . e c o o 3 ■: 

. 3999°1 

. 929841 E-0 5 

1 2 . 0 C ■: C 3 e 

. 999990 

. 104 11 2E- 04 

13 ,00 COD 0 

. 999988 

•113634E-04 

14.000031 

.9999*7 

. 1277 31E-04 

15 . 000330 

. 999986 

* 140 IS 3c -0 4 

16 . GCCO0 0 

.999985 

. 153C&9E-Q4 

17.COC0CG 

.999R93 

. 16641RE-04 

18 . 00000 J 

. 9 9 Q 9 8 2 

. 180215E-34 

1 R . 0 0 0 0 0 G 

.999981 

. 19445 1 E- 0 4 

2C.0C80GJ 

.999979 

. 20 9132E-04 


6-25 



SURVIVABILITY F0° 04 M D w 


T I HE (99U93) 


COMFTGUBfiTIPN . FAILURE 

SURVIVABILITY PROBABILITY 


i . 3 c c o o : 

. 999999 

.622G62R-06 

2 . G 0 0 C 0 I 

, q qq 999 

. 12 3 33 3 E- 3 5 

7.0CC 30 ' 

. qqqqqs 

.2300295-05 

u . n o o o a o 

.9999°7 

.275&ARP-35 

5 • 3 C 0 1 1 - 

. 9999 Q 5 

.3557213-05 

6 . C G 0 0 0 r 

, qqgaqg 

.4402523-05 

7 . G 0 0 1 G 0 

, q Q Qgo 5 

.52926AE-G5 

8 . G G 0 0 3 1 

.ogqgq^ 

.6227255-05 

q .oooQT j 

. 999993 

.72J&42F-05 

1 c . 0 3 ; 3 0 3 

. 999 9 Q 2 

.3230153-05 

il.occjoo 

.999991 

.9293413-05 

12.00C0C0 

.qqqqao 

.1041123-04 

i 7 . a o o 3 3 ■: 

. Q 99 99 3 

.1156945-04 

1 4 . 0 C 0 G 3 3 

.999997 

.1277013-04 

1 5 . 0 3 C 0 0 2 

,999 Q 36 

. 1^0 15 35-0 A 

16.QQ0CC? 

.999935 

.1530695-04 

1 7 . 0 G C 0 3 0 

.9999^3 

.1664195-04 

1S.00C3JC 

.999992 

.1812133-04 

19 .0CC320 

.999991 

.1944513-34 

2 0 , G 0 0 0 0 0 

,999979 

.2091323-0 11 
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SURVIVABILITY FOP APT FC 


MISSION 
TIME (HOU°r) 


1 . C 0 C 0 0 G 

2 . 0 G e 0 0 G 

3 . a «? c a e s 
u . o c j o o e 

5 . 0 C 3 0 <j 2 
6 « G C G 00 0 
7.000300 
8 . 9 G C 0 0 Z 
r.ooooo: 
10.000002 
11.00023 -2 
12. 00; 323 
1 3 . 0 0 G 0 3 3 
1 A .00033 3 
15.03COOO 
IF, GO 30 3 3 
17. C C‘G3G‘~ 

1 8 . 0 0 0 :• 3 0 
19.G0G0JF 

2 3.0 Of 320 


COM- IGU°ATION 
SURVIVABILITY 


.999999 
.P99997 
. 9999°6 
. 999994 
.999993 

. 99^991 
, qqaqig 

.999988 
.999986 
.999985 
, gqqa^ -? 

. 9 p 9 981 
, qgqq/q 
, 999978 
.999976 
.999974 

. pgP972 
.999970 
.999968 
.999967 


FAILURE 

PROBABILITY 


. 143325 E- 05 
.289G90E-05 
. 437307E-0 5 
.58798 8E-35 
.7411A6E-05 
. 8 9579 3E-0 5 
.13 5494E- 0 4 
.1215516-34 
.137879E-04 
.15445ZF-Q4 
.171 28 0E- 04 
.188585E-G4 
,20573 7 F-3 4 
. 22330 8 E-G4 
. 241 158 E -0 4 
. 259291 E- *3 4 
.2776756-04 
. 295 32 4F -04 
. 31523 8E-04 
. 33441 7E-3 4 
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S'JPVI VAPILITY FOP 9 CPI T 


M I s Cl o N 

T IM i " (HOURS) 


CONFIGURATION FAILURE 

SURV TV A9 IL IT Y PROBABILITY 


i . G 3 0 ? 0 C 

. 999939 

.11 3743E-04 

2. OQCOGC 

.999979 

.23577^6-04 

7 , 0 0 3 0 2 0 

.999963 

» 3 5629 26 -0 k 

t . a a c o 3 3 

.9999L9 

.5C54955-04 

=; . o c o 3 .■ : 

. 999 Q7 5 

. 6 5 35 Q 1 E- 0 4 

6 . c 0 C 3 3 0 

.999919 

.8137446-04 

^ , 3 Q G 0 C C 

.999*02 

.9771796-04 

8 . 0 0 C 3 C 3 

.999885 

.1153256-03 

9.00033'’ 

,099*66 

.1338646-03 

10. G 30330 

.999 8-47 

. 15340 4F-03 

11.33C3 n u 

.999826 

. 173 94° 6 -03 

1 2 . 0 € *: 0 0 3 

.999824 

.1*55166-03 

17.GCCG0C 

.999732 

.21312^6-03 

3 h . C 0 C 3 3 C 

.*99793 

.2417926-03 

15.0003 jD 

.999733 

.2665376-33 

1 B . 3 g : 3 0 •> 

. ogoT08 

.2923806-03 

17. G 3CCGG 

.999681 

.3193375-33 

18. COG G DC 

. 999 6^3 

,347^276-03 

19.022302 

.999623 

.3766675-33 

20. C 3035: 

.999593 

.4073755-03 
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WEOnUCIBILm OF TOS 
©SISfiSfAt PAGE is POOH 


SUPyiva n ILT TV FOR M C° IT 

CONFIGURATION F4ILURF 

SURV INABILITY PROBABILITY 


MISSION 
TIME (FOURS} 


1 . 3 C C 0 0 0 
3 • 0 l u u j i 
3. <3 3 CISC 
4,003030 
5.000033 
6. 03C330 
7.00QC3G 
* . 0 0 G 0 3 0 
Q . 021030 
1 3 . 0 C C 0 0 0 
11.300300 
12.000900 
1 3 . 0 0 C 0 3 3 
1 4 . 0 C C ] j C 
15. 000 300 
1 c . 0 C C 0 0 C 
17.0000:3 
1 8 . C G 0 3 0 3 
19.0C3G33 
20.000033 


999963 

.1530266-04 

9999C4 

. 35995SC-Q4 

999942 

, 5759796-0 4 

ogqqi^ 

.3152246-04 

999392 

.1030356-03 

999 p 6 3 

.1370046-03 

999832 

. 163392 E-G3 

o gg7Qjq 

J23226P6-03 

999751 

.2336416-03 

990722 

. 277531E-03 

999681 

.3139526-03 

999637 

.3629196-03 

9995°1 

. 4G34'>-65-03 

999541 

.455548E-03 

999490 

.510240F-03 

999435 

.5645756-03 

099779 

.5214436-03 

999719 

.6809936-33 

99 Q 257 

.7431846-03 

999192 

.8030356-03 
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SURVIVaPTLI T Y pt QTS 


f'I??ION - 
TIME ( HOURS) 


1 . C 3 G 0 a c 

2 . a * C 0 G G 

3. C P C0C9 

4 . c o c j o c 

ir . 0 c : 3 : 3 

6 . 0 0 C G d 0 
7 . l c •; o j c 
<* , c o r o j ? 

9 . 0 n cog c 

i: .COCGGP 
li.COQOOC 

i ? . o g : : g : 

1 ? . P C L 3 0 r 
14.3^0^00 

i = . c o 3 c o •: 

if . GOO COO 

17 . ccco: i 
1 f > . C- 0 C 3 3 0 
19.000000 
?0.00C330 


C0MFI9URfi T IQM 
SURVIVAL TL IT Y 


.999 999 
.999997 
. 999995 
. 999°°4 
. 9999°2 
.999990 
. 099933 
. 999935 
.999984 
. °9993 2 
.999980 
. 999977 
. 999975 
.09997? 
. 0990^9 
.qgoqSS 
.999953 
.999960 
.999957 
.990Q54 


FAILURE 

PROBABILITY 


. 13 38 2 3E -0 5 
.? 77977c- J 5 
. 432455E-G5 
. 597252E-G5 
. 772350E-05 
.95777^5-05 
.1133495-04 
.13595G £-04 
•157530E-04 

. 13 3 2 33 E-Q 4 

.2G3 q ?3E-04 
. 223626E-04 
•254374E-34 
. 231139E-04 
.3^39236-04 

.3377435-04 

-.36 753 i E-G 4 
. 39344? E -04 
. 433 326E-G4 
•453232E-04 
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SURVIVABILITY POP r WO 


MISSION 
TIME (HOURS) 


j . O0COGG 
?. 003333 
30030 G 

4 . C "■ C 0 3 C 
3 . a 0 C 0 0 3 

5 . 0 C e 0 >3 G 

7 . C C G C 3 0 

8 . 0 C C <3 3 G 
9 . 0 0 C 3 j 3 

10. CGO 03. 3 

1 1 . 0 0 G 0 C 3 
12.C0C3CG 
1?. COCOG C 

14.000000 

i c . c c c a G >: 
1R. 000 oo c 

1 7 . 0 G C 3 J 0 

1 8 . : r r o o o 

19 .0 0C 33 0 
?£ .000030 


C ONF IGURfi T ION 
SURVIVABIL IT Y 


, qgqqq? 
. Q 99 98 3 
.999974 
,999964 
.9999^3 

.99994? 
.999930 
.999917 
.999903 
.99988.9 
. 9998 ^ 
.999897 
.999841 
.999823 
. 9 99 n 0 5 
. 9997 °5 
.999769 
.999745 
.P99723 
.999700 


F AILU°E 
PROBABILITY 


,793 49 2E— O 5 
. 1&5544E-04 
.258634E-G4 
.7! 5d 358 E - 0 4 
. 45ol95E-G 4 
. 53 3753E-04 
.7G25&8E-04 
.832006E-G4 
. 95887 22-04 
. Ill 336E-0 3 
. 1255572-03 
.142553E-G3 
. 159349E-9 3 
.176940E-03 
. 1953^9£-0 3 
•214555E-03 
. 23 4 598 E- 03 
. 2 55475 E“ 0 3 
.2771962-03 
. 299769E-03 
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6.3 SELECTED SYSTEM OPTIONS 
6.3.1 USE OF ALTERNATE MDM PORT 

The first option is to reconfigure GPC bus assignments to use the alter- 
nate flight critical MDM ports. This prevents the loss of an MDM due to a 
failure of the MIA, A/D, or SCU portions of the MDM. The effect of this is to 
internally duplex that portion of these MDM modules. The failure probability 
of an internally duplexed module is approximately 

F(T) = (XT) 2 

This is a very good approximation for XT < .01. The failure rate of these MDM 

£ 

submodules is 74 per 10 hours. So for a six-hour mission, XT becomes 
.00148 « .01, and F(T) is 2.19(10)"®. If we divide F(T) by 20 hours, we have 
an effective failure rate of .11 failures per 10 s hours, certainly very small 
compared to the remaining MDM failure rate. So for mission times less than 20 
hours, we can neglect the failure rate of the MIA, A/D, and SCU when we use the 
alternate port. 

For the purpose of illustration, we assume the four GPCs have access 
to the alternate aft flight critical MDM ports. This is true of OFT, but not 
for ALT. The results for a six-hour mission are summari 2 ed on the opposite 
page. Five pages of printouts of the results for 1 to 20 hour mission times 
follow. There is considerable improvement in the individual MDM and aft flight 
critical failure probabilities, but very little improvement in the forward 
flight critical. As the baseline failure rates stand, there is little to be 
gained from this option. But if the TACAN and MSBLS failure rates are overly 
pessimistic, this option should be studied further. 


UNIT 

FAILURE PROBABILITY 

WITH 

ALTERNATE PORT 

WITHOUT 

ALTERNATE PORT 

FWD MDM 
AFT MDM 

FWD Flight Critical 
AFT Flight Critical 
Safety Critical 

3.7(10) ~ 6 
3.5(10) 
5.5(10) "’ 5 
7.0(10)"® 
7.6(10)"® 

5.5(10)'® 

5.3(10)"® 

5.8(10)"® 

9.0(10)”® 

8.1(10)"® 


SUMMARY OF THE ALTERNATE MDM PORT OPTION 
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SU 0 VlVA n TLITV FT R FF H0M 


MI S'” TON 
TIME (HOURS! 


CONFIGURATION 

SURVTVA3ILITY 


FAILURE 

PROBABILITY 


1.001310 
2 . G G G S 0 3 
3 . c c : o o o 

4.000000 

F . C 3 C J j 
8. G 0 C 0 0 ; 
7 . C C C 2 0 0 

9 . 0 0 C G 0 3 

3 . 0 C r 0 0 0 

1 C . 0 G r ] o 0 

11 . accede 

12. GQ330C 

13. G0C30u 
1 4 . C G C G 0 0 
1 5 . G G u j Q 0 
15.000300 
1 7 . 0 0 C 0 G 0 
10.03:00: 
3 8.0000-00 
PC.30C JflO 


agqqqq 

.623952E-06 

939939 

.12479 IE- 05 

gqqqop 

.13 7 158£-G5 

999998 

. 24952 7E-G 5 

09999-7 

.311837E-C5 

9999°6 

.3742 4 IE - *3 5 

qQogg 6 

. 43658 7 E-Q 5 

999905 

. 49592 7E-G 5 

9999Q4 

. 56126 >3 E — 35 

999094 

.6235385-05 

G 999 c *7 

♦685911 £-95 

agg qo 5 

. 743229E-05 

999992 

.813 54 3E- G 5 

999991 

. 8 7285 7 E- 0 5 

999991 

.93515QE-05 

999990 

.99 74f' 7 E- 0 5 

9 999 q 9 

. 105976E-04 

agqqpg 

.1122C6E-34 

gqggpg 

. lHMSi>04 

Q 999 8 8 

. 124656E-94 




6-34 



u 9 './ 1 V 8 P I L I T Y F0 D FA HQ'-' 


M X $S 10^! 
TIM<E<HOU°5) 


1 . Q 0 0 0 j 0 

2 . C 3 3 0 0 0 
3 . 5 G 0 1 3 3 
u . 3 0 C 0 0 0 
5 . 0 C C 0 -1 0 

6 . n C C G 0 c 

7 . J C G 3 3 0 
6 . 3 0 C C G C 

9 . 0CCC3H 

iO.CQOOGC 

h.gccgo: 

12.G3Cd39 
13. 30033 s '' 
1 4 . 3 G C j 3 Q 
15.030330 
15.003003 
1 7 . C C 0 3 C 3 
1 8 . Q ? 0 G 3 9 
1 9 . G 0 0 0 3 G 
7 0 . 0 G C 3 3 C 


CONFIGURATION 

SURVIVABILITY 


.999999 
.999999 
.999998 
.999998 
. Q 9999? 
.999995 
. 999 9 Q 6 
.999995 
. q 999°5 
. 9999°4 
.999994 
.Q 99993 
.999992, 
.999992 

.9 9999 1 
. Q 99 9 Q 1 
. 9 99 9 Q 0 
. 999989 
.999989 
.999933 


FAILURE 

PROBABILITY 


.533953E-G6 
. 116733E-9 5 
. 1 75163E-0 5 
.2335366-35 
. 29190 IE-05 
. 3 50 26 0 E-G5 
.403S12E-05 
.465958E-05 
. 525299E-05 
.533635E-05 
.641966E-05 
.7 00 29 2E-0 5 
. 7 53 61 5E-3 5 
.815934E-05 
.875249E-G5 
.933562^-05 
.9913 7 2E-C5 
.1C5013E-04 
.113849E-04 
.116679E-04 
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S'JFVIV AGILITY FOP F90 FC 


MISSION! 

TIHS ( Hnyoc j 


1.303030 

2 , o o c : o : 

7 . G Q G 0 0 0 
4.3G03QC 

5 . i n o u j : 

6 . 3 c 3 o ) : 

7 . 0 G 0 3 0 u 

8 . 0 0 b u G 9 
Q . G 3 C 0 3 G 

1 3 , G G - G 3 -1 
1 1 . 0 f G G u C 
12.023033 
13. OGG jG C 
14.00C0G0 

is.oocao: 

16.0C003C 
1 7 . r n o.u 3 ! 
1 * . G F G 0 3 0 
19.0000 jC 
ZQ.OOCOuO 


CONFIGURSTION 
SU°VTVARIL IT Y 


.999 992 
.9999*4 
.999975 
.999965 
• 9999 c 6 
.999945 
.999934 
.999022 
. 999 Q 1 G 
. 9 9° 897 
.R 99883 
.999863 
. 990*53 

. 999837 
.999821 
. <^99803 
.999785 
.999767 
.999747 
. 999727 


FAILURE 
PROG ABILITY 


.7 59243c- 05 
•15775GE-G4 
. 24555 7E-G4 
.339426E-G4 
. 439435E-04 
.545563E-04 
•653137E-04 
.777 034E-04 
. 902431 E- 04 
.lij*543uE — u3 
, 1 1727 * E-9 3 
. 131793E-G3 
« 14693 3E-G3 
. 162855 E-03 
. 179417E-0 3 
. 19567 6E-03 
. 21464 3 E - 03 
. 233314E-G3 
.252707E-03 
.272825E-03 
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SUFV XV AEILI T Y FOP AFT FC 


MISSION 

CONFIGURATION 

FAILURE 

TIME (HOU^) 

SURVIVABILITY 

PROBABILITY 


i . o c ? : 3 o 

.999999 

. 113178 E-0 5 

2 > u u C 3 *3 - 

.999998 

» 22 769 6E-G 5 

3.000000 

,399997 

.343559E-Q5 

h . c g c o o o 

.999999 

. 460772E-Q5 

5 .30C03C 

.999994 

. 579341 E- 0 5 

6 . 3 0 C 0 3 C 

.999993 

. 699 27 1 F- 0 5 

7 . C 0 C 3 0 0 

.999992 

. 8 2 3 5 6 3 E - 0 5 

3.000000 

, qqqao 1 

.943236F-05 

9.000300 

.999989 

. 105 72 RE-04 

10. GOO 00 0 

« Q 99 98 3 

. 1192 7 iE-04 

11.00C0Q9 

.999937 

.1 31953E-G4 

12.000330 

. Q 9998 6 

.14477^6-04 

1S.C0Q03C 

.P99934 

. 15773 4E - 0 4 

1 U. 00 CO 00 

.999983 

. 17G835E-G4 

Ip.OjuOjO 

.999982 

. 184G77E-04 

16.003000 

.999980 

. 197461E-Q4 

17 . 0 0 0 0 C C 

,999079 

.213936E-04 

18 . 3 C n 00 0 

. 9 99 Q7 8 

.224654E-04 

l Q «DGj n 30 

.999975 

.2 33465E-04 

2 3 , u G •_ 0 3 0 

.999975 

•252419E-04 


ORIGINAL PAG 
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S"JRVTVaeiLI T Y FOP S ORIT 


MTS c IOO 
TIME (HOURS' 


1 . 5 0 0 <3 3 a 
2 . G G C 0 0 : 
? . 0 G C 3 3 : 

4 . u G G 0 9 c 

5 • C 5 0 0 - i» 

e . o g c o o c 

7 . 0 Q u 3 3 G 
p . 0 3 V 0 0 0 
CCGOOO 
1 : . G C C G I 0 
1 1 . C D 0 3 d C 
1 2 * C 0 u C J 0 
13.UZGOOO 
14.3CG030 

1 5 . 0 C 0 3 G 0 

i f , r c j o o 

17.0 3l.30G 
1 p . 0 C C 3 J C 
19. G 3 3003 
20. 00 0300 


O ONFTC-URaT JON 
SURV I VA3IL IT Y 


.999939 
.999973 
, Q 9°966 
.999957 
. 999 q 39 
.999924 
, agqg - q 

.999393 
.999376 
. 9993 r 3 
. 9 Q 9839 
. 999 32 Q 
. =>99799 

.9997T3 

.999755 
. 9997^2 

. 0997^7 
. 999632 
.993655 
.999523 


F4IUJPE 

PROBABILITY 


.10730 46-04 
.2218^16-0^ 
.3 43 79 IE- 0 4 
,4733726-04 
.6 13 641 F- u 4 
. 75589 4E-G 4 
,93925t*E-u4 
.1070936-03 
.1241056-03 
.1419326-03 
.1607385-03 
. 180393E-Q3 
.2309626-03 
.2224616-03 
.2449396-03 
.2683216-03 
.2927136-03 
.3131036-03 
.34450^6-03 
.3719376-03 
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6.3.2 TRANSIENT-FAULT RECOVERY OPTIONS 


The baseline transient-fault recovery option, which is a delay before 
attempting a permanent-fault recovery, is quite effective for transient faults 
occurring external to the GPCs. This is due to the filtering of the processing 
algorithms and the slow response time of the actuators and displays. This 
recovery method is not as effective for transients within the GPC. It is easy 
for a program to be altered by a memory transient during a restore cycle. Also, 
CPU and IOP transients can alter data. Thus, a GPC can be left with a "permanent" 
fault actually resulting from a transient. 

The three alternate transient-fault recovery options studied here are 
rollback, rollahead, and a combination of rollahead and memory copy. Rollback 
is defined as the procedure where the current program segment is rerun following 
fault detection. Rollahead is defined as the procedure where the fault-free 
GPCs pass the current machine-state and data points to the indicated faulty 
machine and continue computation. Memory copy is the procedure where the 
contents of the memories of the good GPCs are passed to the faulty GPC at a 
low duty cycle on a cycle-stealing basis. Memory copy is followed by a rollahead 
after completion to bring the faulty GPC on line. 

The effectiveness of each of the transient recovery options is generated 
by the simulator. The simulation provides the transient leakage parameter for 
the model. Since transient-fault parameters for the Shuttle GPCs have not been 
established, the model results are given for a wide range of transient environ- 
ments. The baseline GPC transient rate was made equal to the permanent, i.e., 
t/X is unity. The results presented in the printouts that follow, in the case 
of the delay recovery option, show the results of considering both more hostile 
(t/x>1 ) and more benign (t/x<1) transient environments. 

The transient recovery options results are summarized on the opposite 
page. Table 6.3-1 lists the options and the resulting transient leakages. 

Delay recovery exhibits the highest leakage except for the case of rollahead 
and memory copy with two GPCs remaining, where these recovery options are not 
applicable. Memory copy has the best leakage because memory transients are 
corrected. Figure 6.3-1 illustrates how these differences become amplified 
in a hostile transient environment. Listings of the complete results are 
presented on the following eight pages. They are denoted Tables 6.3-II through 
6.3-IX. 
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TABLE 6.3-1 LEAKAGE RESULTS FOR TRANSIENT RECOVERY OPTIONS 


OPTION 

TRANSIENT LEAKAGE 

4 GPCs 

3 GPCs 

2 GPCs 

Delay Recovery 

.703 

.703 

.703 

Rollback 

.403 

’.403 

.403 

Roll ahead 

.398 

.398 

1 

Memory Copy 

0 

0 

1 



TRANSIENT RATE {FAULTS/10 6 HOURS) 


FIGURE 6.3-1 FAILURE PROBABILITY RESULTS FOR VARIOUS TRANSIENT 
RECOVERY OPTIONS AND TRANSIENT FAULT RATES 
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TABLE 6. 3- I I VARIATIONS IN TRANSIENT FAULT RATE FOR THE 

DELAY RECOVERY TRANSIENT RECOVERY METHOD 


UMTT j<- gpc 


MISSION TIMF IS 


. 5OCOOCCE+01 HOURS 


T A U 


CONFIGURATION 

SURVIVABILITY 


. 0 C 1 0 S -1 
. 0 G 0 1 3 u 
. 0 GC2G C 
. 0 Q C 3 G r 
. 0 0 r * 4 0 0 
. o o c 5 o ■: 
.JOCM" 
. G C C* 7 O C 
. OC:*OC 
. 0 C C Q 3 J 
. OG133C 


. 99^9999 
.9999999 

• 9999999 

• 9 990999 
.9999998 
.9999998 
.9999998 
.9909995 
.9999997 
.9999997 
.9999996 


SAFc-tv CRITICAL SURVIVABILITY 


TAU 


CONFIGURATION 

SURVIVA5 T LJT Y 


o.occggq 
. 0 0 2 Vi j 
. j3C?J I 
, 0 G J 7 0 G 
.TO 04;} G 
. C C 8 5 0 C 
• G i n 5 1 ? 

. oe;- 7 co 

. 0 J 0 7 G : 

. 03090 C 
. o o i : 3 >' 


,999919? 
.999919? 
.999919? 
. 9 99919 ? 
.9999193 
.9909191 
. 9 9 Q 9t 9 1 
.990919C 
.999919P 
• 9 9 Q 91 9G 
.9999189 


FAILURE 

PROBABILITY 


7 248427E-Q7 
S894629E-07 
1 0 77165E-06 
1289433F-C6 
15277A4E-06 
1793567F-06 
2Q88359E-05 
24136 09E-QS 
2770742E-06 
316121 6E-G6 
3585473E-G6 


FAILURE 

PROBABILITY 


8079221E-04 
8 G 30 887E-0 4 
8Q82744E-04 
80 34866E-04 
8CS7249E-04 
3 2899 37 E-j 4 
3Q92855E-G4 
8Q961Q7E-04 
3099678E-G4 
8103583E-04 
8107835E-G4 
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TABLE 6.3-III VARIATIONS IN TRANSIENT FAULT RATE FOR THE 

DELAY RECOVERY TRANSIENT RECOVERY METHOD 


VAR V !NG UNIT GPC 


NT S^I CN xs 


.800G1QGE+G1 HOURS 


T&U 


CONFIGURATION FAILURE 

SURVIVABILITY PROBABILITY 


. 1 C 1 0 0 f 

. o :• 2 j j : 

. 00313'' 
. GG4GG •? 
. 0 C 5 C 0 0 
. o r FCo ; 
. 0073 30 
. 0 C P 0 j c 

. : OHIO c 
.G1CGC : 


9999996 

.3586473E-C6 

9999990 

. 10C&559E-G5 

999997ft 

. 2156908F-G5 

o aaqn 51 

. 3944939E-05 

9 999° 3 C 

. 6 5 00 59 6 E- 0 5 

9999901 

. 9948 S54.E-C 5 

9999ft 55 

. 14408«5E-04 

9999800 

. 1994606E-Q4 

9999732 

. 2632033E-04 

9999550 

.3498710E-04 


SAFETY CRITICAL SURVIVABILITY 


TAU 


CONFIGURATION 

SURVIVABILITY 


FAILURE 

PROBABILITY 


. C0101G 
• 0 0 2 010 
. C 0 3 G n O' 
. C3 4CJG 

. 0 0 SO 3n 

. o : e o i c 
.007000 
. C 1 « 1 3 ; 

. 0 3 o 0 J 1 
. 0100 3 J 


99993 84 

. 3159043E-04 

999917ft 

. 32?3P?9E-0t 

9999165 

.8338855E-3A 

9999148 

. 35 17643E-04 

09991 2 7 

. 8773188E-04 

9999C **8 

. ° 1 1 79&&E- 04 

9999344 

. 95&3950E-04 

9993988 

. 1G12263E- 03 

9 9939 2 C 

.10 3050 0E-03 

9993838 

. 1162161E-33 
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TABLE 6.3-IV VARIATIONS IN TRANSIENT FAULT RATE FOR THE 

ROLLAHEAD RECOVERY METHOD 


VARYING UNIT IS 3PC 


MISSION TIMS IS . FG G0303E+C1 HOURS ' 


TA'J 

CONFIGURATION 

SURVIVA8 T LITY 

FAILURE 

PROBABILITY 

i 

G 0 C 0 0 0 

.999999° 

.7248427F-07 

3 0C10G ' 

* 9 999 Q 99 

. 8627534E-Q7 

0CC20Q 

. 9 99999° 

. 1G15241E-05 

0 C 0 3 C 0 

.9999999 

. 1182983E-C6 

QG043 n 

.9999999 

. 1366650F-06 

Q 0 C 5 0 6 

.9999993 

. 1 56691 4E-Q& 

CQC5G0 

.9999993 

. 1784445E-06 

GO 07 0 : 

. 9999 Q 9 n 

.2Q199G8E-C& 

a G C 3 3 r 

.999999? 

. 2273969E-06 

0 0 09 0 3 

.9999997 

. 2547294E-G6 

0 310 0 0 

. 99999° 7 

. 2340540E-C& 


SAFETY CRITICAL 5UR VI V ORI L IT Y 


TAU 


C OMFIGURA TIQN 
S'! D VI VASILTTY 


FAILURE 

PROBABILITY 


1 . 0 j c c c c 

. 0 G C 1 0 0 

. 0 0 C 2 e 5 
• 0 0 0 3 G 0 
. G0C40C 
.0J050: 
. 0 G G 6C 3 
. 00073 P 
. o o c 3 u : 
.o 

. C G 1 3 0 0 


9999187 

. 3130429E-C4 

9 9991 8 7 

. 8131808E-C4 

9 9°91 8 7 

. 8133333E-04 

9999186 

. 3135Q10E-04 

9999186 

. 8136847E-04 

9999186 

.81388 49 E-C4 

9999186 

. 3141024F-Q4 

9999186 

. 3 14337 9E-0 4 

9999185 

. 8145919E-G4 

9 99 91 8 F 

• 8143&52E-04 

9999185 

.3151585E-C4 
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TABLE 6.3-V VARIATIONS IN TRANSIENT FAULT RATE FOR THE 

ROLLAHEAD RECOVERY METHOD 


YIi*<G U MT T I? 3 p r 


MISSION TINF IS 

. 60Q00QGF + G1 u OU °3 


TfiU 

CONFIGURATION 

FAILURE 


SURVIVABILITY 

D ROGA8ILITY 


. C C 1 0 Z 3 

.9999997 

. 28 43 54 QE-8& 

. C 3 2 0 3 0 

.9 99999" 

. 7C12847E-C6 

. 3S3GG? 

.9999986 

. 13S9054E-G5 

. 004300 

.9999976 

. 241G34QE-C5 

.38 530*3 

.9999962 

.3 5262&J3E-35 

.096330 

.999994“ 

. 5&96104E-C5 

.0 07 300 

• 9 99 99 1^ 

. 3 0 77 374c- *3 5 

. C 0 ? 3 0 3 

. 9 9 Q 9 8 9 G 

. 1102581 F- 04 

. CC 9 3 3 0 

.9999*54 

.1459545E-Q4 

. 0 1 •; 13 G c 

.9999812 

. 1863862E-04 


SAFETY CRITICAL S' ! R VI V ^ I LT T Y 


TAU 


CONFIGURATION 

SU-VIVABTL T TY 


FAILURE 
P°08 A8 ILIT Y 


. 00 1000 
. ^ G 2 D 0 C 
. : :3co-} 
. 0 0 h 0 C Q 
.008000 
. o o 8 o e o 

. 3 n 7 “I 0 0 

. g ? p >3 j : 
. CC9JC0 
. C I C 3 0 1 


.9999185 
.9999181 
.9999174 
.9999164 
. 9 9° 91 4° 
.9999131 
.99991 G7 
.99991-77 
.0999'" 

.qqoQqgo 


. 8 1515855-54 
.319 3304E-34 
. R2&2076F-0A 
. 83&41 Q 6E-C4 
. 8505776E-04 
.86927A6F-CA 
. 8 9 3 3 8 5 3 F - 0 4 
.9225673--C4 
. 9582693E-C-k 
. 100C689E- f, 3 
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TABLE 6.3-VI VARIATIONS IN TRANSIENT FAULT RATE WITH THE 

MEMORY COPY RECOVERY METHOD 


VARYING UNIT I'* GpC 


beproducibility OP the 

ORIGINAL PAGE IS POOR 


MISSION TTMP IS 


TAU 


C . 0 0 0 3 B 3 

. •] a s i a ■: 
. 9 0 C ? 0 0 
. Of ISO 0 
. 0 C j 4 ] G 

• 0 C 3 5 0 2 
. 0 C 0 ft j o 
.CCf?7 nr 
, GQCSOC 

• 0 G n ? 0 0 

. 5 0 lit. 0 


.oGJGOGCE+Ol HOURS 


CONFIGURATION 

SURVIVABILITY 


.9999999 
.9 99 99 99 
.9999999 
.999999° 
.9999999 
.9999999 
.9 9999 9 Q 
.gqagqgq 

.9999999 

.9999999 

.9999999 


FAILURE 
PR9BA 3ILIT Y 


. 7248427E-G7 
. 79774 5 IE-0 7 
. 8706095E-97 
.9434278E-G7 
. 1016203E-06 
. 1088950E-06 
. 1161622E-G6 
. 1234268E-06 
. 13 Q6871E-06 
. 1379430 E-3 6 
. 1451954E-36 


S A FF T y rgTTiCAL SU° VIVA9T LI T Y 


configuration 

SURVIVABILITY 


failure 

PROBABILITY 


.0 . 0 C C 3 J 0 
. G G 0 1 0 0 
.C 8 32 30 
. C C 3 C 
. 0 El C 4 0 0 
.000503 
. 0 3 360: 
. G G 073 0 
. c::4qo 

. 0 0 C 9 3 3 
, C n -< -. ■> . 


9999187 

. 8130429E-04 

9999187 

. 8131158E-CU 

9999187 

.81318S7E-04 

99991 87 

. 8132815E-Q4 

9999187 

. 8133343E-04 

gqgai 37 

. 8134070E-04 

99R91 87 

. 81347 Q 7F-04 

9999186 

. 8 135523E-C 4 

9 999 1 8 p 

.8136249E-G4 

9999186 

.81369 75 E-C 4 

9°991 86 

. 81377CBE-C4 
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TABLE 6.3-VII VARIATIONS IN TRANSIENT FAULT RATE WITH THE 

'MEMORY COPY RECOVERY METHOD 


> v moyt.mg UNIT GpC 


■MISSION TIME IS 


. SO OGQQOE+Pt HOURS 


rau 


CONFIGURATION FAILURE 

SU°VIVA9TLITY PROBABILITY 


.001000 
. 0 S 2 G 1 1 
. 0 C s o 0 0 

• OC^OOO 

. G e F 0 0 n 

♦ C C £ u G 0 
.307100 
. G 0 Q 0 Q 0 
. u G ° 0 3 G 
.313330 


999999° 

. 145iq54F-C& 

9999998 

. 2174736E-Q6 

° 999997 

. 2893246 E-C 6 

9999998 

. 36075C5L-0& 

gqqgqgg 

. 4317544E-C6 

9999996 

. 5 G 233 Q 4E-06 

9 99 99 94 

.5725G84B-06 

ggqgaga 

• &422643E-G& 

Q 999993 

. 711&1C 2E-06 

9999992 

.78G9488E-G6 


SlFFTY r^TTJCAL SURVIVABILITY 


TA'J 


OOMFIGURATTON FAILURE 

SURVIVABILITY PROBABILITY 


. 03 1000 
. 00 POO C 
. G " 30 J ■' 
.03 MOO 
. o o s 3 : 

, 0 0 ^ u C C 
.3C7JGG 

, 0 c 0 0 0 0 
.009330 
. G 1G3GG 


99991 86 

.81377D0E-34 

99 a 9i86 

. 8 144927E-04 

9999186 

. 8152112E-C4 

9999184 

. 8159254F-Q4 

9999183 

. 8166353F-24 

9999183 

. 8173411E-34 

9909182 

. 3130428F-C4 

9999181 

. 81874C3E-C4 

99991 81 

. 8194337E-C4 

999918 C 

. 8 2G123QE-G4 
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TABLE 6.3-VIII VARIATIONS IN TRANSIENT FAULT RATE WITH THE 

ROLLBACK RECOVERY METHOD 


VARYING UNIT I<: CPC 


MISSION TIMS I* 


. ft ooaaccE+ci hours 


T AiJ 


CONFIGURATION FAILURE 

SURVIVABILITY PROBABILITY 


: . *: ' o o : n 
. 3011 : : 
. 3 c ■: z o : 

. 0 00 ^03 
. 300430 
. 3 C C 5 0 ' 
.30060 

. OCG«OG 
. C 3 C ° 3 C 
. GPiOO n 


990009° 

. 7248427E-C 7 

0999999 

.81S4769E-07 

9999999 

. 91548 64E-G7 

qgqgggq 

, 102215 4£- 06 

g gggqgc 

. 1136759 F-C 6 

9999999 

. 1259579E-06 

g aqgggc 

. 1 393892E-G& 

q oagqQT 

.1530977E-G6 

9 999998 

.1683 11 GE- 06 

9999°98 

41838567 E- Co 

ggqggqp 

. 2GQ6624E-G& 


SAFETY critical SURVIVABILITY 


TAU 


CONFIGURATION FAILURE 

SURVIVABILITY °ROB4RILITY 


G. CCSC0C 
. 0 0 0 i 0 G 
. C J'-l’OQ 

i£u j’ut 

. e oc4o j 
.0CC5JC 
. 0 0 3 6 3 C 

. G-C 3 7G* 
. C C " A C 0 
, 0 0CB3 0 
. C013C-3 


9999187 

. 8133429E-C4 

9999187 

. 8131346E-34 

9999187 

. 8132336E-04 

9999187 

. 81 334 3 2E-G 4 

9°°9187 

. 8134548E-G4 

9999186 

.8135776E-G4 

9°991 86 

. 8137 0 89E-C4 

9999186 

, 81 38490E-C4 

99°°186 

. 81^998 IE- 0 4 

999°1 86 

4 8 1415&6E-C4 

9999186 

. 814324&E-04 
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TABLE 6.3-IX VARIATIONS IN TRANSIENT FAULT RATE WITH THE 

ROLLBACK RECOVERY METHOD 


VARYING UMTT IS GPC 


MISSION TS 


. EOGOQCSE+Ol HOURS 


T £ ! J 


CONFIGURATION 

SURVIVABILITY 


. 3 g l : : 3 
. 00200 : 

. 0 G 3 '] 0 € 


. qqoqqqft 

. 9999 Q 96 
• 9 9 Q 99 9 2 


• U L 4 [i t J 

. c c 5 a o : 
. G C 6 0 J C 
. 007"! I 
. C C r C 1 0 
. G fl ° r O J 

. ■; j n j 3 O 


.9999987 
.9999980 
• 9 999° 7 1 
.9999960 
.9999997 
.9999930 
.99999 ii 


SAFETY CRITICAL SURVIVABILITY 


TAU 


CONFIGURATION 

SURVIVABILITY 


. "O g 1 0 J u 

. C G 2 0 G C 
. 0 0 3 C 3 0 
.014090 
. 0350 10 
. 0 C 6 -0 0 C 
. GG 700 C 
, C 1 ? Q 3 0 

. :o°ooo 

.CIO ICC 


, ° 9991 86 
.9 99918,3 
. 9 Q 9?13 C 
.99991 75 

.9999168 
.99991 59 
.9909148 
.999913A 

.999911? 

,°999398 


FAILURE 

PROBABILITY 


200662 ^ 6-06 
427540 9F-G6 
78G2943E-G6 
1 2 8 549 7E-05 
19691 31E-C5 
2856598E-05 
3972 72 3E-0 5 
534176 3 E- 05 
69874 7 &E~C5 
8932B83E-05 


FAILUPE 

PROeABILIT v 


8 1432 46E-C 4 
8165932E-04 
32012 05E- 04 
8251721F-04 
8320G79E-04 
84G38 i SE-G4 
852D4R1E-Q4 
86 c 7315E-04 
S321868E-04 
9C16397E-G4 
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6.3.3 VARIATIONS IN THE DETECTABILITY PREDICTION 


In the baseline parameter set, the GPC detectability is chosen to be 
one because no uncoverage has been identified by the manufacturer. However, 
there is a l-out-of-2 chance that a set of incorrect computations sums to 
the correct result for the output comparison. Thus, it is of interest to obtdi 
results for GPC detectability values other than unity. The detectability for 
devices where a coverage analysis was unavailable was chosen to be .999, i.e., 
the design goal value. This section presents the results of an examination of 
the effects of imperfect GPC detectability and what happens if .999 is too 
pessimistic for the peripheral devices. 

Table 6.3-X summarizes the effects of imperfect GPC detectability. We 
feel that the cooperative detection techniques used by the GPCs achieves a 
detectability of at least .999 99. This results in more than a three-fold 
degradation of the estimated GPC survivability from that estimated for unity 
detectability, but it doesn l t affect the overall safety-critical survivability. 
A GPC detectability of .999 is shown for completeness. The resulting increase 
in GPC and safety-critical failure probability is dramatic. 

The next question is what is to be gained by improving the flight- 
critical device detectabilities. In Table 6-3— XII , TACAN detectability is 
varied from .999 to .999 9. This results in a three-fold gain in TACAN surviv- 
ability and a gain from 7.7(10) ^ to 5.6(10)**^ in safety-critical failure 
probability. Further increases in TACAN detectability add little to the safety 
critical survivability. 

Next, it is appropriate to ask what happens if all the devices detect- 
abilities are improved. Table 6 . 3— XI summarizes the improvements achieved in 
this case. Safety-critical failure probability has achieved nearly a four-fold 
improvement by increasing the device detectability from .999 to .9999. Further 
improvements bring smaller gains. 
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TABLE 6.3-X FAILURE PROBABILITIES FOR IMPERFECT 

GPC DETECTABILITY 


GPC 

DETECTABILITY 

FAILURE PROBABILITY 

GPC 

SAFETY-CRITICAL 

.999,999,999 

1.8(10)~ 7 

8.2(10)‘ 5 

.999,999,9 

1 .8(10} ~ 7 

8.2(10}~ 5 

.999,99 

6.5(10) ~ 7 

8.2(10)“ 5 

.999 

A. 8(10) ~ 5 

I.O(IO) -4 


TABLE 6 . 3— XI FAILURE PROBABILITIES FOR IMPROVEMENTS IN 

DETECTABILITY FOR ALL DEVICES 


DETECTABILITY 
FOR EVERY 
DEVICE 

FAILURE PROBABILITY 

' TACAN 

MSBLS 

FLIGHT- 

FORWARD 

SAFETY- 

CRITICAL 

.999 

.999,9 

.999,99 

.999,999 

* 

2.3(10) — 5 
7.3(10)~ 6 
5.7(10) ~ 6 
5.6(10) ~ 6 

1.0(10)“ 5 
2.3(10) ~ 6 
1.5(10)" 6 
1 .4(10) ~ 6 

5.'8(1 0)~ 5 
1 .7(10) -5 
1.4(10)' 5 
1 .3(10) ~ 5 

8.1 (TO) -5 - 
2.2(10) ~ 5 
i.7(ior 5 
1 .6(10) _5 
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REPRODUCIBILITY ujj- 1-n.n 

ORIGINAL PAGE IS POOR 


TABLE 6.3-XII 


SIX HOUR SURVIVABILITY FOR INCREASES 
IN TACAN DETECTABILITY 


VARYING UNIT IS TACAN 


MISSION TIME IS 


.6QG0000E+01 HOURS 


DETECTABILITY 

THREE 


.999000 
.999100 
.9?°200 
.999300 
.999400 
.999500 
.999600 
.999700 
.99980 0 
.999900 
1.000000 


CONFIGURATION 

SURVIVABILITY 


.9999765 
.9999783 
.99998 01 
.9999819 
.9999836 
.99993 54 
.9999872 
.9999390 
.9999908 
.9999926 
.9999943 


FAILURE 

PROBABILITY 


.2348436E-G4 
. 2170103E-04 
. 1991770E-04 
.1813437E-04 
. 1635104E-04 
. 1456770E-04 
. 1278437E-04 
. 11001G4E-04 
. 9217709E-05 
. 7434377E-05 
.5651O45E-05 


SAFETY CRITICAL SURVIVABILITY 


DETECTABILITY 

THREE 


.999000 
.999100 
.999200 
,999300 
.999400 
.999500 
.999600 
.99970 0 
.999800 
.999900 
1.000000 


CONFIGURATION 

SURVIVABILITY 


.9999228 

.9999246 

.9999263 

.9999281 

.9999299 

.9999317 

.9999334 

.9999352 

.9999370 

.9999388 

.9999405 


FAILURE 

PROBABILITY 


. 77 22200E-04 
. 7 5 444 8 8 E~ 04 
.7366776E-04 
. 7189064E-04 
.70 11352E-G4 
. 6833641E-04 
. 6655929E-04 
• 6478 217E-04 
. 63 0 Q505E-G4 
. 6122793E-0 4 
. 59450 81E-04 
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mission 

TABLE 

TIME 

6 . 3— XI I I SIX HOUR SURVIVABILITIES WHEN GPC 

DETECTABILITY IS .999 999 999 

IS .6C0OOOOE+O1 HOUPS 


UNIT 


BASELINE 

FAILURE 

NOME 


SURVIVABILITY 

PROBABILITY 

MCOS 


.9999947 

. 5329936E-05 

G PC 


.9999999 

.6290993E-Q7 

EF MQM 


.9999945 

♦5516737E-Q5 

OPTO 


. 999994 C 

.5996164E-05 

ACCEL 


.9999980 

.2044755E-05 

IMU 


.9999944 

• 5587907E-0 5 

TO CON 


.9999765 

. 2348436E-04 

M50LS 


.9999896 

.1035253E-04 

C HC- 


1 .000 0000 

. 360 2135E-07 

rtta 


1.000Q00G 

.3602135 E-07 

SPTC 


1.0000000 

.3602135E-0? 

F 0 MpM 


.9999947 

.5276966E-05 

ASA 


.9999976 

.2399321E-05 

RGYRO 


.9999988 

. 1224330 E-0 5 

DDU 


' .9999986 

. 1444317E-05 

0 VVT 


.9999980 

,20 20 859E-05 

a/mt 


.0999975 

• 2546337E-05 

HSI 


.9999990 

. 10 382S3E-G5 

AO I 


.9999985 

.1469515E-05 

PCMMU 


.9999529 

• 4712953E-0 4 

OF MOM 


.9999920 

.72C6424E-05 

00 MOM 


. 9999928 

.7206424 E-05 

AFT FC 


.9999911 

.39G1930E-05 

S CRIT 


.9999184 

.8158558E-04 

M CP IT 


. 99 Q 856 Q 

. 1431222E-03 

FT OIS 


.9999904 

.9577756E-05 

FWD FC 


.9999423 

.5771456E-04 
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fABLE 6.3-XIV 


REPRODUCIBILITY 01?’ TEE 
ORIGINAL PAGE IS POOR 


SIX HOUR SURVIVABILITIES WHEN GPC 
DETECTABILITY IS .999 999 9 


MISSION TIMF IS .6QQ0000E+G1 HGUPS 

UNIT 8 ASF LI NF FAILURE 

NAME SURVIVABILITY PROBABILITY 


MOOS 

GPC 

FF MOM 

AOTA 

AOCEL 

TMU 

T A C A N 

MSBLS 

PHO 

°PTA 

S P TC 

FA MOM 

ASA 

RGYRO 

OOU 

A my i 

A/MI 

HSI 

ADI 

PcriMU 

OF MOM 

04 MOM 
AFT FC 

5 CRIT 
M CRIT 
FT OIS 
FHO FC 


.9909947 

.5329936E-Q5 

.9999999 

. 6667941E-07 

.9999945 

.55 16 7 07 E-0 5 

.9999940 

• 5996164E-05 

.9999980 

.2044755E-05 

.99R9944 

. 5587907E-05 

.9999765 

.2348436E-04 

.9999896 

.1035253E-04 

i.OOGOQOC 

.36O2135E-07 

1.30COOOG 

.3602135E-0 7 

i.OOGOOOO 

. 36C2135E-0 7 

.9999947 

.5276966E-Q5 

.9999976 

.2399321E-05 

.9999988 

. 1224380E-05 

.9999986 

♦ 1444317E-0 5 

.9909980 

.2020859E-05 

.9999975 

•2546337E-05 

.9999990 

• 1038263E-05 

.9999935 

.1469515E-05 

.9999529 

.4712953E-04 

.9999923 

• 7206424E-0 5 

.9999928 

.7206424E-05 

.9999911 

. 390 1980 E-0 5 

.9999184 

. 8158935E-0 4 

.9998569 

. 1431260 E-0 3 

.9999904 

.9577756E-05 

.9.99 9423 

. 5771456E-0 4 
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TABLE 6.3-XV SIX HOUR SURVIVABILITIES WHEN GPC 

DETECTABILITY IS .999 99 


MISSION TIMF IS .5003000E+01 HOURS 

UNIT GASOLINE FAILURE 

NINE SURVIVABILITY PROBABILITY 


M cns 

GPC 

F F M3M 

AnTa 

ACCEL 

I MU 

TACAN 

MS°LS 

CHI’ 

»PTfl 

$ P TC 
FA MOM 
ASA 
RGYRO 
DOU 
AVVI 
A/MI 
HSI 
ADI 
PCMM’J 
OF MOM 
CA MOM 
AFT FC 
S C°IT 
M C° IT 
FT 0 IS 
FWD FC 


.0999947 

.5329936E-05 

.9999996 

.4436273E-Q6 

.9999945 

. 5516707E-05 

.999994G 

.5996164E-05 

•9999980 

.2044755E-05 

.9999944 

.5587907E-05 

.9999765 

. 2348436E-G4 

.9999896 

.1035253E-04 

1.0000000 

•3602135E-07 

1.3000000 

. 36 Q2135E-Q7 

1.0GG0CQC 

.36G2135E-Q7 

.9999947 

. 5276966E-05 

.9999976 

.2399321E-05 

.9999988 

. 1224380E-05 

,9999986 

.1444317E-05 

.9999980 

♦ 20 20859E-Q5 

.9999975 

•2546337E-Q5 

.9999993 

• 10382S3E-05 

.9999985 

.1469515E-05 

.9999529 

.'47 12953E-Q4 

.9999928 

.72C6424E-Q5 

.9999928 

.72C6424E-05 

.9999911 

. 890 1980 E-0 5 

.9999180 

. 8196627E-04 

.9993565 

.1435029E-03 

.9999904 

. 9577756E-05 

.9999423 

.5771456E-04 
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BEPRODUCBILITY OF THE 

TABLE 6.3-XVI SIX HOUR SURVIVABILITIES WH0BMSNAL PAGE IS POOR 

DETECTABILITY IS .999 


MT3SI0N TIME IS 

.SCOOOOOE+Oi HOUPS 


UMIT 

NWF 

84 Sf LINE 
SURVI VA 8ILITY 

FAILURE 

probability 

MCOS 

.9999947 

.5329936E-05 

SPC 

.9989524 

. 4755363E-04 

FF 4PM 

.9999945 

, 55 167"G7E-05 

a*ni 

.9999940 

.5996164E-05 

ACCEL 

.9999930 

.2044755 E-05 

I MU 

.9999944 

.5587907E-05 

T ACA M 

.9999999 

.7214457E-D7 

MS 9 LS 

.9999398 

.1035253E-04 

RHC 

1.0 Qooaoo 

.-3602135F-07 

ppra 

i .occaoee 

.36021365-07 

S RTF 

l.OCCOOOu 

*. 3&0 2135E-0 7 

F ft 

.9999947 

.527696&E-Q5 

&<;& 

.9999976 

.23993215-05 

RGYRO 

.9999988 

. 1224388E-05 

DOU 

.9999986 

.1444317E-05 

AVMT 

.9999980 

.2C2C859E-Q5 

A /MI 

.9999975 

. 254&337E-0 5 

HSI 

.9999990 

.10 38263E-B5 

ADI 

,999998^ 

. 1469515E-05 

PCMMJ 

.9999529 

.4712953E-04 

OF MOM 

.9999928 

.72C6424E-05 

0 A MpM 

t ogqg928 

.7206424E-05 

AFT FC 

.9999911 

• 890198CE-0 5 

S poiT 

.9998967 

• 10332Q2E-93 

M CR IT 

.9993351 

.1&48555E-03 

FT OIS 

.9999904 

. 9577756E-Q5 

FWO FC 

.9999680 

• 3196053E-0 4 
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TABLE 6.3-XVII SIX HOUR SURVIVABILITIES WHEN PERIPHERAL 

DETECTABILITIES ARE .999 9 


MISSION TIME IS .6 00 3 00 02+01 HOURS 

UNIT BASELINE FAILURE 

NAME SURVIVABILITY PROBABILITY 


MODS 

.9999990 

GPC 

.9999996 

FF MOM 

.9999994 

AOT4 

.9999994 

ACCEL 

.9999997 

THU 

.9999990 

TACAN 

.9999927 

MS*LS 

.9999977 

RHC 

1.3 Q0Q000 

PPTA 

1.0000000 

SBTC 

1.0000000 

FA MOM 

.9999995 

ASA 

.9999998 

PGYRO 

.9999999 

OOU 

.9999998 

A VVI 

.9999997 

A/MI 

.9999996 

HSI 

.9999999 

AOI 

.9999998 

PCMM'J 

.9998697 

OF MOM 

.9999810 

OA MOM 

.9999810 

AFT FC 

.9999987 

S CRIT 

.9999779 

M CRIT 

.'9998097 

FT DIS 

.9999977 

FWD FC 

.9999828 


.1014979E-05 
•3546683E-QS 
•55214G4E-G6 
.6002274E-06 
.2634626E-06 
.959494ivE-Q6 
.7343147E-05 
•2267179E-05 
• 3621601E-O8 
.36216011-08 
.3621601E-08 
•5281129E-GS 
.2399712E-06 
.1441000E-Q6 
• 1779385E-06 
. 2969821E-06 
• 4242761E-06 
. 10 88544E-Q6 
* 1826476E-06 
.1302685 E-03 
. 1896295E-04 
• 1896295E-04 
.1300337E-05 
.2209754E-04 
.1902829E-03 
.2254238 E-05 
. 17I7341E-0 4 
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TABLE 6.3-XVIII SIX HOUR SURVIVABILITIES WHEN PERIPHERAL 

DETECTABILITIES ARE .999 99 


MISSION TIHE IS .6000000E+01 HOURS 

UNIT BASELINE FAILURE 

NAME SURVIVABILITY PROBABILITY 


NCOS 

.9999993 

GPC 

.9999996 

FF MOM 

.9999999 

ADTA 

.9999999 

ACCEL 

.9999999 

IMU 

.9999995 

TACAN 

.9999943 

MS8LS 

.9999985 

RHC 

1.0000000 

RPT A 

1.0000000 

SBTC 

1.0000000 

FA MOM 

.9999999 

ASA 

1.0000000 

RGYRO 

1.0000000 

ODU 

.9999999 

AVVI 

.9999998 

A/HI 

.9999997 

HSI 

.9999999 

ADI 

.9999999 

PCMMU 

.9998706 

OF MOM 

.9999812 

OA MOM 

.9999812 

AFT FC 

.9999995 

S GRIT 

.9999835 

M CRIT 

.9998165 

FT OIS 

.9999981 

FWD FC 

.9999869 


.6553418E-06 
.3546683E-06 
.5568932E-07 
.6063254E-G7 
.8533318E-07 
.4966521E-06 
. 5729 017 E- 05 
« 1458642E-0 5 
.3816183E-09 
.3816183E-09 
.3816183E-Q9 
• 5322&65E-07 
• 24G3605E-07 
.3607195E-07 
. 11792Q5E-Q6 
.2152818E-06 
.3237Q44E-Q& 
.6480658 E-07 
•121658&E-06 
. 1293540 E-0 3 
•1880278E-Q4 
.1880278E-04 
.5335751E-06 
. 1653373E-04 
• 1834853E-03 
.1907151E-05 
•13083G4E-G4 
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TABLE 6.3-XIX SIX HOUR SURVIVABILITIES WHEN PERIPHERAL 

DETECTABILITIES ARE .999 999 


MISSION TIME IS . 6 00 0 00 0 E*Q 1 HOURS 

UNIT BASELINE FAILURE 

NAME SURVIVABILITY PROBABILITY 


MODS 

.0999994 

.6193781E-06 

GPC 

.9999996 

.3546683E-06 

FF HDM 

1.0000000 

.6Q43571E-0 8 

AOTA 

1.0000000 

. 66730552-08 

ACCEL 

- .9999999 

.6752025E-07 

I MU 

.9999995 

• 45036792-06 

TACAN 

.99999 44 

•55676Q4E-Q5 

MSSLS 

.9999986 

•1377788E-05 

RHC 

i. 0000000 

.57617912-10 

PPTA 

1.0 000000 

.5761791F-10 

SSTC 

l.oooaooo 

.5761791E-iG 

FA MOM 

1.0000000 

.57380382-08 

ASA 

1.0000000 

.2442555E-08 

PGYRO 

1.0000000 

. 2526914E-07 

DDU 

.9999999 

.1119187E-06 

A VVI 

.9999998 

•2071117E-Q5 

A /MI 

.9999997 

.313S473E-06 

HSI 

.9999999 

.6 040180E-07 

AOI 

.9999999 

.1155597E-06 

PCMMU 

.9998707 

.1292625E-03 

OF MOM 

.9999812 

.1878677E-04 

OA MOM 

.9999812 

•1878677E-04 

AFT FC 

.9999995 

.4568989E-06 

S CRIT 

.9999840 

.15977 34E-04 

M CRIT 

.9998172 

. 1828055E-03 

FT OIS 

.9999981 

.1872442E-05 

FWO FC 

.9999373 

.1267400E-04 


6-58 



TABLE 

MISSION TIME 

UNIT 

NAMF 

MODS 

GPC 

FF MDM 

ADTA 

ACCEL 

IHU 

TACAN 

MS3LS 

RHC 

RPTA 

S8TC 

FA MOM 

ASA 

RGYPO 

DOU 

AVVI 

A/MI 

HSI 

AO I 

PCMMU 

OF MOM 

OA MOM 

AFT FC 

S GRIT 

M CRIT 

FT OIS 

FWO FC 


6.3-XX SIX HOUR SURVIVABILITIES WHEN PERIPHERAL 
DETECTABILITIES ARE .999 999 9 


IS .600G000E+01 HOURS 

BASELINE 

SURVIVABILITY 


FAILURE 

PROBABILITY 


.9999994 
.9999996 
i.OGOOGGO . 
i.OQOGOGO 
.9999999 
.9999996 
.9999944 
.9999986 
1.G000CG0 
i.GGGOGGO 
l.OOGOGOO 
1. GOD GO 00 
1.0000000 
1.0000000 
.9999999 
.9999998 
.9999997 
.9999999 
.9999999 
.9993707 
.9999812 
.9999812 
.4999996 
.9999841 
.9998173 
.9999981 
.9999874 


. 6157817E-06 

• 3546683E-06 
•107903QE-08 

• 1.277073E-08 
.6573895E-07 
•4457395E-G6 
.5551462E-05 
.13697G2E-05 
.2523137E-1Q 
•2523137E-10 
.2523137E-10 

t 

.9891608E-09 
.2831939E-09 
.2418836E-07 
•11131 85E-Q6 
.2D62947E-0 6 
.3126416E-06 
.5996132E-07 
.1149498E-06 
. 1292S34E-03 
.1878517E-04 
•1878517E-Q4 
•4492313E-G6 
•1592170E-04 
. 1827376E-G3 
.1868972E-05 
.1263310E-Q4 
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PRECEDING PAGE BLANK NOT FILMED 

6.4 SUGGESTED IMPROVEMENTS 

The Shuttle arbiter avionics system was designed using the discrete 
fault tolerance criterion. Namely, the DPS can tolerate two faults (FO/FS) 
with a coverage of .999. This provides a feeling of confidence to the user of 
the orbiter. The other major fault tolerance criterion for system design is 
the survivability (or reliability or mission success probability). The frequent 
goal using this criterion is a balanced design where each module set contributes 
a portion of the total failure probability as nearly equal as possible to other 
contributors of failure probability. Thus, improving the highest failure 
probability device adds the most to system improvement. A variation of this 
technique is one where a calculation of the change in survivability per unit 
weight (or power) is made for each subsystem, and then the redundancy increase 
is made in the subsystem showing the largest quotient. 

The elements that influence the system survivability prediction are the 
partitioning of the system and the parameters of the analytic model. The parti- 
tioning is a function of the system design and is difficult to change. Of the 
modeling parameters, mission time is fixed. Parts selection can improve failure 
rate, while improvements to fault tolerance methods can enhance the components 
' of coverage. 

The baseline Shuttle avionics system survivability for the ALT mission 
time is "driven" by the peripheral device detectabilities. Improvement of this 
parameter adds a marked improvement to the Shuttle survivability prediction. 
Increasing the detectability from .999 to .9999 gives four-fold improvements 
in failure probability. Further improvements add less. The system survivability 
is still dominated by the high failure rate forward flight critical bus devices. 
At a detectability of .9999, increasing the redundancy could help, but this 
doesn't seem feasible at this stage of development. An interesting point is 
that at a detectability of .999, the predicted failure rates and the ALT mission 
time, redundancy increases are counter-productive. For example, the IMU with 
a redundancy of 3 has a better survivability prediction at six hours than the 
ADTA with a smaller failure rate and a redundancy of 4. This is not true for 
a detectability of .9999 or for a mission time of 20 hours. 

In the baseline parameter set, GPC recoverability was chosen to be 1 . 

If switching off a faulty GPC is done manually by a human operator, then fault 
recovery time is governed by human reaction time, and the correctness of the 
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recovery action taken is degraded by a panic situation during time-critical 
phases. We know that if this degradation results in a GPC recoverability as 
small as .999, then it becomes a very important factor to be considered. If 
this is the case, other GPC options such as transient recovery become important. 
Perhaps a way of obtaining sufficient memory space and GPC operations rate to 
allow automatic switchout of a faulty GPC would be to commit more of the IOP 
operations to microprogram. 

Automatic use of an alternate MOM port during time-critical phases is 
not useful. However, for orbital flight, the use of alternate ports for recon- 
figuration at the beginning of deorbit will enhance the probability of beginning 
descent at full redundancy. 
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6.5 


SYSTEM MODEL VERIFICATION 


The modeling presented here is thought to be a true representation of 
the Shuttle avionics system for ALT. Certain laboratory tests are possible to 
verify the model. Faults may be physically injected into the system, and the 
resulting recovery may be observed. Since the model presented here is proba- 
bilistic, the faults should be chosen at random according to the failure rate 
of the parts. The system fails if it is no longer capable of performing all 
its critical functions. Protective redundancy used by the system means that 
more than one fault may be sustained before the system fails. But a single 
uncovered fault may cause the system to fail. 

The first approach is to generate faults for a series of six-hour 
missions, inject the faults, and record the results. The resulting failure 
probability is the number of failed missions divided by the total number of 
missions. This approach is straightforward but can't be done in a reasonable 
amount of time in practice. The reason is that system failures occur approxi- 
mately once every 10,000 missions, on the average. One or more faults occur 
in about one out of ten missions, so that, on the average, 1000 missions would 
have to be {experimentally checked for each system failure. About 200 system 
failures should occur for an approximate system model verification. The 
resulting 200,000 experiments are a formidable task. 

A method to reduce the magnitude of this is to extend the mission time 
to where the probability of failure is much greater, say .1 or .2. This only 
tests a generally uninteresting extreme prediction. 

Methods should be sought to reduce the size of the task. The number 
of experiments can be reduced by concentrating on a portion of the system. 

This eliminates the sizeable number of missions that have several faults, but 
only a single fault in each device. 

Another method, which can be used in conjunction with the first, is to 

realize that the probability of exactly k faults occurring in a mission of 

length T on a system or portion of a system with total failure rate x is 
-XT k 

is P(k) = e (XT) / k!. Experiments are then run 1, 2, 3, etc. faults to 
obtain failure statistics on the number of faults per mission. The resulting 
failure probability is then 

f/tI = v PCH Number of failures with k faults 
' ' . _ , v ’ Number of missions with k faults 
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The GPCs would be a desirable unit to apply this kind of experiment. 
With a coverage of 1 for the first two faulty GPCs, we can concentrate on 
missions with three or more faults. Evaluating P(k) for k = 3, 4, 5, X = 
4000/106 hours and T - 6 hours. 

P (3 ) « e“‘ 024 = 2-3(10 ) ~ 6 

P(4) * 1 .8(1 0) — 8 

p(s) « 6.6O0)" 11 

Three fault missions have a large impact on the GPC failure probability of 
3.5(10) - ^; four fault missions, at most, affect the failure probability by 
±2 in second significant digit; and five fault missions have little impact 
on the failure probability prediction. Therefore, experimentation can be 
confined to three fault missions. We would expect about 5 to 10 percent of 
the three fault missions to fail. One thousand missions should result in 
50 to 100 failures. Fault patterns where the three faults occur in at most 
2 GPCs need not be performed, and may be counted as a non-failed mission. In 
performing the experiments, any failure after one or two faults indicates the 
GPC. coverage is less than one. 

The next question is how to inject the faults into the system. The 
first method is for a technician to physically open or short the electrical 
points chosen by random number generation, and record the results. This 
is a tedious job, but requires the least development of specialized equipment. 
A more elegant and rapid method would be to electrically inject the faults 
under minicomputer control. This has the added advantage that the random 
faults may be generated by the minicomputer. The disadvantage of this method 
is the development time andexpense of this additional, specialized test 
equipment. 
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7.0 CONCLUSIONS AND RECOMMENDATIONS 

7.1 CONCLUSIONS 

Five significant conclusions were drawn from the work performed on the 
Shuttle avionics survivability analysis project. These are presented in prose 
in the following paragraphs, and summarized in Table 7.1-1 on the facing page. 

The accuracy of the prediction of the components of coverage for the 
various avionics subsystems is crucial with respect to the accuracy attain- 
able in the overall survivability prediction. This is particularly true for 
units whose coverage components, e.g., detectability, are in the region of 
0.999. For example, a change from 0.999 to 0.9999 lowers the safety-critical 
failure probability by a factor of four. 

Use of the alternate MDM port for reconfiguration of GPC bus assign- 
ments will become useful when TACAN and/or microwave scan beam landing system 
units with lower failure rates become available. 

The use of a recovery technique consisting of rollahead combined with 
memory copy has the potential of reducing transient leakage to zero (i.e., no 
transient faults are mistaken for permanents). This compares with the result 
of 70.3% when using the baseline technique of delay recovery. This more 
sophisticated GPC transient-fault recovery technique is most useful in hostile 
transient- fault environments, or when GPC coverage is degraded. 

Improvement in TACAN detectability offers the most promise of improv- 
ing the overall avionics failure probability. For example, improving the 
TACAN detectability from 0.999 to 0.9999, will decrease the overall avionics 
failure probability from 7.7(10 ) ~ 5 to 5.6(10)"^. 

Laboratory testing to verify the models presented here is feasible, 
but the testing must be carefully designed so as to obtain the maximum results 
in a reasonable test time. This test design includes both the test procedure 
and the test implementation, e.g., computer programs for automatic fault 
injection. 
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TABLE 7.1-1 CONCLUSIONS 


• Overall survivability accuracy depends critically 
on coverage-component accuracy 

• Reconfiguration using the alternate MDM port is 
efficacious for lower failure rate units 

• An alternative GPC recovery technique can reduce 
transient-fault leakage to zero 

• Improving TACAN detectability offers the most 
promise for decrease of overall failure probability 
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7.2 RECOMMENDATIONS 

The principal recommendation resulting from the performance of this 
study is that both the analytic model and simulator portion of CAST be further 
enhanced so that the OFT mission configuration can be modeled. This enhancement 
is required because of the ALT-OFT differences discussed below and summarized 
in Table 7.2-1. 

The mission time-line of OFT consists of the ascent, orbit operations, 
and return portions, each of which is divided into more detailed phases. ALT 
encompasses only the late TAEM and approach and landing phases. These differ- 
ences cause two aspects to need to be taken into account in the OFT modeling 
and simulation. First, it is necessary to adjust the planned DPS configuration 
as each new phase is entered. For example, during orbit two GPCs are operated 
in concert, while during return four GPCs are used. Second, it is necessary to 
model the fact that phases subsequent to the first may be entered with fewer 
than the planned complement of units operating. This results in probabilistic 
initial conditions for the second and later phases. It is thought that modeling 
work will be applicable here. In the simulator, this problem is approached by 
beginning each phase with the fault conditions encountered at the close of the 
previous phase. 

The MCDS required a special model for ALT. The addition of an extra 
DEU for OFT will require new analytic and simulation models. 

The GPC model applies to the ALT configuration of DDUs, but in OFT the 
additional DDU with only an ADI attached leads to a modeling situation similar 
to that encountered in the flight-critical MDMs. Thus, the flight-critical MDM 
model is applicable here. The addition of the EIU and MEC to the flight- 
critical bus leads to a change in the simulation of the flight-critical bus 
and additional models for these. 

The remaining partitions can be modeled by the "standard" GPC model. 
However, there is an impact on the simulation. New programs are required from 
mass memory for changes in mission phase. Therefore, there is a strong inter- 
action between MM and the GPC for OFT and this must be modeled. Also, the 
survival of the return phase programs becomes an important issue. 
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TABLE 7.2-1 


ALT-OFT DIFFERENCES 


ANALYTIC MODEL 


um 

ALT 

OFT 

Mission Time 
Line 

Single Configuration 
Deterministic Initial Conditions 

Several Configurations 
Probabalistic Initial Conditions 
For Each Phase 

MODS 

Special Model 

New Model Required 

DDU 1 

FFMDM ; 

FAMDM j 

| Special Model j 

Adaptation of Special Model 

GPC ) 

PCM MU | 

MM | 

PLDMDM j 

| GPC Mode! Applies 

GPC Model Applies 

E1U ] 

MEC 1 

MCIU | 

SRBMDM j 

1 

> Not Used 

'GPC Model May Apply 


SIMULATOR 


ITEM 

ALT 

OFT 

Mission Tims 
Line 

Only One Phase is Simulated 

Several Phases - Each with 
Different Configurations. 
Initial Conditions for Each 
Phase Determined by Status 
of Previous Phase. 

MCDS Partition 

Simulated by Separate 
Subroutines 

New Model Required 

FCBUS Partition 

Mode! Includes: 

DDU, FF-MDM, FA-MDM 
and Their Associated 
Devices 

Need to Add Simulation 
Models for EIU’ s and 
MEC’s 

GPC Partition 

Guadruplex Configuration 
SM Functions in Redundant 
Set 

Configuration Varies Depend- 
ing on Mission Phase 

SM Function Removed from 
Redundant Sett 



Software Reconfiguration 
from MM at Phase Changes 

Mission Critical Devices 
MM, PCM 

Not Used 

Simulation Required .. 
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